<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>The benefits are huge, I can't imagine a PHP/JS project without using:</p>
<ul>
<li>composer [php]</li>
<li>yarn [js]</li>
<li>package</li>
</ul>
<p>Why?</p>
<ul>
<li>Achieving an order is the most important argument, each library is described [eg: version number] - currently, there are many duplicate libraries, eg jquery can be found in about 10 places in different versions, which means no one controls it.</li>
<li>Security [library analysis] - currently there are hundreds of free tools, such as:<br />
<ul>
<li><a href="https://david-dm.org/YetiForceCompany/YetiForceCRM" target="_blank" rel="noopener noreferrer">https://david-dm.org/YetiForceCompany/YetiForceCRM</a> - it checks 70 libraries in our project and verifies whether they are up-to-date and whether there is a known vulnerability, e.g. it informs us that a new full calendar version has been released and that the gridstack library is no longer supported by the producer in the version currently used by us.</li>
<li><a href="https://depfu.com/github/YetiForceCompany/YetiForceCRM" target="_blank" rel="noopener noreferrer">https://depfu.com/github/YetiForceCompany/YetiForceCRM</a> - checks 66 libraries [including many not supported by david-dm] and shows that we have to update 8 libraries.</li>
<li><a href="https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies" target="_blank" rel="noopener noreferrer">https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies</a> - the GitHub tool can be used as it provides the quickest information on vulnerabilities.</li>
</ul>
</li>
<li>Security [static code analysis] - we can not only verify our own code but also the related libraries code, there are plenty of free tools for open source projects.</li>
<li>Licensing - allows to generate license dependency reports for third-party libraries [it can be verified whether any library uses a license that is incompatible with ours], license scanners are free for open source projects.</li>
</ul>
<p>Most of the security errors related to code quality, duplicated code, malicious code, obsolete libraries are caused by the fact that the code was not organized using composer/yarn/package, which are the basis for most security tools. When you look only from your perspective [I have one module and I use 2 libraries], it makes no difference for you whether you use composer or not, but we currently use over 150 third party libraries, and it is impossible to manage them and take care of security without tools that verify it for us.</p>
<p>Organizing libraries is a very important and necessary step, but remember that it is probably the most difficult thing to do, because it took us three months to upgrade from Bootstrap 3 to Bootstrap 4 [while migrating some of the libraries used didn't work for version 4.4 and a very large part of the code had to be rewritten] and then for 9 months we had been stabilizing the application. The same applies to jQuery, which needs to be updated to the latest version and "force" the other 10 libraries to use one common library. These are such profound changes that if the producer does not perform them, you will irretrievably separate the on-demand version from the community. If the producer decides to update libraries, then it will take several months [just like with Vtiger 6]. If the producer updates only the on-demand version and doesn't update the community, then we can talk about abandoning the project just like SugarCRM did.</p>
<p>Vtiger will certainly do it. The only question is when - whether they will do it now when there is still time for it, or rather when it attracts media attention.</p>
<div>--<br />
<div class="pre global">
<div style="padding: 0px 5px;">
<div style="font-family: Tahoma, Geneva, sans-serif; font-size: 12.5px; color: #01374d; font-weight: 200;">Z poważaniem / Kind regards</div>
<div style="padding-top: 7px; font-family: Tahoma, Geneva, sans-serif; font-size: 21.67px; color: #01374d; font-weight: bold;">Błażej Pabiszczak</div>
<div style="padding-top: 4px; font-family: Tahoma, Geneva, sans-serif; font-size: 14.17px; color: #93cfd8; font-weight: bold;">CEO & Co-Founder at YetiForce</div>
<div style="padding-top: 8px; font-family: Tahoma, Geneva, sans-serif; font-size: 10px; color: #01374d; font-weight: 400;"><span style="margin-right: 6px;"><a style="color: #01374d; text-decoration: none;">+48 884 999 123</a></span> | <span style="margin-left: 6px;"> <a style="color: #01374d; text-decoration: none;">b.pabiszczak@yetiforce.com</a></span></div>
<div style="padding-top: 6px; padding-bottom: 11px;"> </div>
</div>
</div>
</div>
<p><br /></p>
<p>W dniu 2020-10-02 09:13, Martin Allen napisał(a):</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div dir="ltr">
<div class="gmail_default" style="font-family: verdana,sans-serif;">
<ul>
<li>Package dependencies are managed within composer itself e.g. Pear DB package is available in Composer (yes I know it's been superseded already by MDB2 but its an example) and is dependent on other Pear packages, except as developers we don't need to worry about those other dependencies as they are automatically handled.</li>
<li>Package updates can be handled very simply without the need to download the entire CRM again, so if a security issue is identified in for example Pear DB, in a couple of minutes it can be updated (in a non-breaking fashion because all packages adhere to semantic version numbering) - problem solved.</li>
<li>As Alan mentioned the autoload.php, which on a production environment is optimized for increased speed. </li>
<li>Using PSR-4 Namespaces and the autoload.php makes packages available application wide simply with the 'use' namespace syntax. (How many times have you gotten frustrated because include statements don't work as intended!)</li>
</ul>
<div>Yes there would be some complications around custom modules requiring other dependencies - I believe there are ways of calling composer to run composer commands as part of an installation script - this would need some further investigation though.</div>
<div> </div>
<div>One of the biggest questions that needs to be answered is the intended audience for vTiger CRM going forward. Is it going to be designed for simple one-click install applications that anyone can download, or is it intended for technical/developer types who know/understand how to manage Composer installs / updates? </div>
<div>It would be possible to use Composer as part of the development process and then include the /vendor contents and everything else required inside the single ZIP download still. This would allow those who do not understand / have access to Composer to get SOME of the benefits but for those that do have access/knowledge can get ALL the benefits ?</div>
</div>
<div>
<div class="gmail_signature" dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<p style="font-size: 12.8px; color: #500050;"><span style="color: navy; font-family: Verdana,sans-serif; font-size: 10pt;">Martin Allen</span></p>
<p style="font-size: 12.8px; color: #500050;"><strong style="font-size: 12.8px;"><span style="font-size: 10pt; font-family: Verdana,sans-serif; color: #333399;">01392 248692 - Main Office<br />01392 690659 - Direct Line</span></strong></p>
<p style="font-size: 12.8px; color: #500050;"><strong><span style="font-size: 10pt; font-family: Verdana,sans-serif; color: #333399;"><img alt="signature2" width="288" height="65" /></span></strong><span style="color: #1f497d;"></span></p>
<p style="font-size: 12.8px; color: #500050;"><span style="font-size: 10pt; font-family: Verdana,sans-serif; color: navy;">Have you visited our website recently? <a style="color: #1155cc;" href="http://www.clystnet.com/" target="_blank" rel="noopener noreferrer">http://www.clystnet.com</a></span><span style="color: #1f497d;"></span></p>
<p style="font-size: 12.8px; color: #500050;"><span style="font-size: 10pt; font-family: Verdana,sans-serif; color: navy;"><br /></span><span style="font-size: 10pt; font-family: Verdana,sans-serif; color: #999999;">The information in this email is confidential If you are not the intended recipient, you must not read or use that information. This email and any attachments are believed to be virus free however no responsibility is accepted by Clystnet for any loss or damage arising in any way from receipt or use thereof. Clystnet Ltd (company reg number 7164503) is based at Silverdown Park, Fair Oak Close, Clyst Honiton, EX5 2UX</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">On Thu, 1 Oct 2020 at 23:44, nilay khatri <<a href="mailto:nilay.spartan@gmail.com">nilay.spartan@gmail.com</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<div dir="ltr">What I feel is that we can really do better dependent library management using composer.
<div> </div>
<div>The autoloader could be included in the Vtiger's Loader file.</div>
<div> </div>
<div>The challenge would be if a custom module needs a library which is not included as default, so then how do we package the extension..</div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">On Fri, Oct 2, 2020 at 1:04 AM Alan Lord <<a href="mailto:alanslists@gmail.com">alanslists@gmail.com</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">For an old idiot like me, please could someone explain what the actual <br /> *benefits* of implementing composer in vtiger would be?<br /> <br /> I've made several modules for customers which require the weird <br /> namespace syntax and stuff and I have found that this is very trivial to <br /> support by creating an "AutoLoader" in my module and simply including <br /> it, e.g.<br /> <br /> > namespace PhpOffice;<br /> > <br /> > spl_autoload_register(function ($class) {<br /> > if (substr($class, 0, strlen(__NAMESPACE__)) != __NAMESPACE__) {<br /> > //Only autoload libraries from this package<br /> > return;<br /> > }<br /> > $path = substr(str_replace('\\', '/', $class), 9);<br /> > $path = 'modules/LSMyCustomModule/resources/PhpOffice' . $path . ".php";<br /> > if (file_exists($path)) {<br /> > require $path;<br /> > }<br /> > });<br /> <br /> Maybe I am missing some of the other benefits, but I would like to know <br /> what benefits this would bring and how it would make my life easier?<br /> <br /> TIA<br /> <br /> Al<br /> <br /> <br /> On 01/10/2020 19:35, Matteo Baranzoni wrote:<br /> > Hi, my friend Francesco open discussion here: <br /> > <a href="https://discussions.vtiger.com/discussion/192211/official-php-composer-for-vtiger/p1?new=1" target="_blank" rel="noopener noreferrer">https://discussions.vtiger.com/discussion/192211/official-php-composer-for-vtiger/p1?new=1</a><br /> > <br /> > And i just add it on hearken, i think that move php dependencies to <br /> > composer it was great improvement!<br /> > We can contribute in order to complete porting<br /> <br /> <br /> <br /> _______________________________________________<br /> <a href="http://www.vtiger.com/" target="_blank" rel="noopener noreferrer">http://www.vtiger.com/</a></blockquote>
</div>
_______________________________________________<br /> <a href="http://www.vtiger.com/" target="_blank" rel="noopener noreferrer">http://www.vtiger.com/</a></blockquote>
</div>
<br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br /> <a href="http://www.vtiger.com/" target="_blank" rel="noopener noreferrer">http://www.vtiger.com/</a></div>
</blockquote>
</body></html>