Skip to content

Debug audit check actual installed packages#15

Merged
dgtlss merged 4 commits into
dgtlss:mainfrom
MarkLanser:feature/debug-audit-check-actual-installed-packages
Dec 24, 2025
Merged

Debug audit check actual installed packages#15
dgtlss merged 4 commits into
dgtlss:mainfrom
MarkLanser:feature/debug-audit-check-actual-installed-packages

Conversation

@MarkLanser

@MarkLanser MarkLanser commented Dec 24, 2025

Copy link
Copy Markdown
Contributor

Needs #14 merged first, ignore first commit

First off, many thanks for this package. We recently implemented it and it has benefitted us already.

Problem definition

We use scheduled audits on production for many of our apps. We composer install with the --no-dev option, so that no dev packages make it to the production environment. However, we kept getting the following message:

High - Development package detected in production
Package: beyondcode/laravel-dump-server
Source: debug-mode

We use this package as a dev-dependency. Since we are using --no-dev on production, it is not present in the installed packages there. So we should not be getting this error.

Currently, the code looks at the composer.json, in both the require and require-dev sections.

Proposed solution

Check the actually installed packages using the composer installed manifest. This eliminates the problem altogether.

Notes

This does not include support for Composer v1, which has a different installed.json format. But since this version is no longer maintained or encouraged, this should not be a problem.

I tried to be as uniform as possible with the code style.

I tested this locally in another project, as i could not get the tests to run out of the box.

Happy holidays!

Greptile Summary

This PR fixes false positive warnings for dev packages in production by checking actually installed packages from vendor/composer/installed.json instead of composer.json declarations. This correctly handles composer install --no-dev scenarios where dev dependencies are excluded.

Key Changes:

  • Added .idea to .gitignore for IntelliJ IDE support
  • Replaced composer.json parsing with vendor/composer/installed.json parsing to check actual installed packages
  • Added getInstalledPackages() and getInstalledPackagesNames() helper methods
  • Uses Composer v2 format (packages array structure)

Issues Found:

  • Missing JSON decode error handling could cause runtime errors if installed.json is corrupted
  • Outdated comment on line 35 still references composer.json instead of installed.json

Confidence Score: 3/5

  • Safe to merge after fixing the JSON decode error handling
  • The core logic improvement is sound and solves a real problem. However, the missing JSON error handling on line 121-122 could cause runtime failures if installed.json is corrupted. Similar services in the codebase (ComposerAuditService, NpmAuditService) properly validate json_decode results. The outdated comment is a minor documentation issue.
  • Pay close attention to src/Services/Audits/DebugModeAuditService.php lines 121-122 for the JSON decode error handling

Important Files Changed

Filename Overview
src/Services/Audits/DebugModeAuditService.php Changed to check actual installed packages from vendor/composer/installed.json instead of composer.json, fixing false positives for --no-dev installs. Has outdated comment and missing JSON error handling.

Sequence Diagram

sequenceDiagram
    participant Audit as DebugModeAuditService
    participant FS as File System
    participant Composer as vendor/composer/installed.json
    
    Audit->>FS: Check if production environment
    alt Is Production
        Audit->>FS: Read composer.json
        FS-->>Audit: Return composer.json contents
        Audit->>Composer: Read installed.json
        Composer-->>Audit: Return installed packages
        Audit->>Audit: Extract package names from packages array
        loop For each dev package
            Audit->>Audit: Check if in installed packages
            alt Dev package found
                Audit->>Audit: Add finding (High severity)
            end
        end
        Audit->>Audit: Check Telescope/Horizon/Routes
    end
    Audit-->>Audit: Return audit results
Loading

@MarkLanser MarkLanser changed the title Feature/debug audit check actual installed packages Debug audit check actual installed packages Dec 24, 2025
@dgtlss

dgtlss commented Dec 24, 2025

Copy link
Copy Markdown
Owner

@greptile 👀

@dgtlss
dgtlss self-requested a review December 24, 2025 10:05

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Comments (2)

  1. src/Services/Audits/DebugModeAuditService.php, line 35 (link)

    syntax: Comment outdated - now checks vendor/composer/installed.json, not composer.json

  2. src/Services/Audits/DebugModeAuditService.php, line 121-122 (link)

    logic: Missing JSON decode error handling - if installed.json is corrupted, json_decode returns null and array_column on line 109 will fail

2 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@dgtlss

dgtlss commented Dec 24, 2025

Copy link
Copy Markdown
Owner

Thankyou for the PR @MarkLanser, it's a great addition to the package! I will get a release drafted up today to ship this out 🎉 Have a great christmas and a happy new year! 🎅

@dgtlss
dgtlss merged commit 537523d into dgtlss:main Dec 24, 2025
1 check passed
@MarkLanser

Copy link
Copy Markdown
Contributor Author

Thankyou for the PR @MarkLanser, it's a great addition to the package! I will get a release drafted up today to ship this out 🎉 Have a great christmas and a happy new year! 🎅

Fantastic. Thanks for the quick reply! Happy new year 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants