PHP developers everywhere can rejoice as GitHub adds the long-awaited dependency graphs feature for PHP repositories that use Composer. The feature provides security alerts, shows dependency insights, and displays the dependents of a given repository. If enabled, it can also automatically send security fixes to the repository via pull requests.
GitHub initially added support for JavaScript and Ruby when rolling out dependency graphs in 2017. They added support for Yarn lock files in July of this year. This has been a boon to the JavaScript community as it alerts developers of vulnerabilities in code they’re using and shipping to users.
“We’re also seeing PHP and Composer grow in popularity–PHP is the fourth most popular language on GitHub and Composer is the fourth most starred PHP project,” wrote Justin Hutchings, Senior Product Manager at GitHub. The company has taken notice of the trends. JavaScript is a hot topic in many developer circles today, but PHP frameworks such as Laravel and Symfony continue growing in popularity and dominate among popular PHP repositories.
Composer is the de facto standard for PHP dependency management. Core WordPress first added Composer support for development environments in version 5.1. While it’s not a part of the release package, this was some small victory after a years-long discussion of adding a basic composer.json file to core. Core hasn’t fully embraced Composer or any type of PHP dependency management, but plugin and theme authors are using it more than a few short years ago. The new alerts and automatic pull requests will offer one more avenue for catching security issues with plugins and themes.
GitHub seems to be rolling this feature out in waves. After checking some repositories with dependency graphs enabled, some still do not have their PHP dependencies listed. It may take some time, but developers should start seeing dependencies appear that are listed in their composer.json or composer.lock files.
Public repositories should begin seeing automatic security alerts when an issue is found. GitHub will start notifying repository owners of these alerts via web notifications or email, depending on what the account holder has set as their preference. Developers with private repos or who have disabled dependency graphs will need to enable them to take advantage of the new feature.
Security alerts on old repositories could become an annoyance. GitHub recommends archiving those repos. “Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts,” explained Hutchings.
Developers who have opted into GitHub’s automatic security fixes beta feature can now enjoy automatic pull requests (PRs) from GitHub when vulnerabilities are found. GitHub creates a PR with the minimum possible secure version. The developer can then merge the PR at their discretion.
Dependency graphs also make for a much nicer experience when browsing a repository’s dependencies. Previously, developers would need to dive into a project’s composer.json or view them from Packagist, the official package directory for Composer. Developers can now click on a link to view a dependent repository.
Rolling this feature out for PHP repos is a welcome addition and should help more projects keep their code secure.
With every new GitHub feature, there is less reason to maintain code over at WordPress.org for plugin and theme authors. While there are plenty of political reasons (e.g. avoiding censorship and slander, and maintaining control of your own projects and users), these are much less significant than the growing technical reasons for WP developers to move their entire operation over to GitHub.
As WordPress continues to grow, the stark differences between Microsoft’s open source platform and the handful of SVN geeks and forum trolls lurking over at WP.org becomes more obvious… it is like watching MariaDB try to keep up with MySQL updates, and the writing has been on the wall for a while now.
The best hope for WordPress.org to retain any relevance in the future is really support forums for newbies, and that’s about it. Having literally 1-2 people in charge of monitoring code quality, security, and beyond for tens of thousands of WordPress plugins = a slow death…