feat: add composer events triggered after package installation #57278
Conversation
Allow packages to listen for their own installation event in Laravel and run initialization commands
|
Hi! With this, third-party packages can perform their setup tasks immediately after being installed, without requiring manual intervention. Everything has been tested and works as expected. For testing, I created a simple package that listens for these events and outputs a message to the console: I would be very glad if my contribution proves useful to the community. Thank you! Related commit: laravel/laravel#6685 |
|
Given the security mess in the NPM ecosystem, do we really want to go the direction to make it easier for packages to run arbitrary code? |
|
I agree that this problem exists. The only real difference is that with this commit, the package installs and the initialization code runs right away. Without it, the package installs, but you have to run the initialization command manually afterward. I think the chances are the same in both cases if we’re not confident in the package’s reliability. |
|
Being able to review the installed code before it is executed is an important, additional security layer. The manual step provides that. Perhaps making the behaviour strictly opt-in, hence not the skeleton default, is a good middle ground? I believe it would add value if people would need to consciously opt-in after reading docs on it that mention the risks that come with it. |
|
Thanks for your pull request to Laravel! Unfortunately, I'm going to delay merging this code for now. To preserve our ability to adequately maintain the framework, we need to be very careful regarding the amount of code we include. If applicable, please consider releasing your code as a package so that the community can still take advantage of your contributions! |
Allow packages to listen for their own installation event in Laravel and run initialization commands