Jaco Kroon posted on Wed, 11 Sep 2024 09:33:10 +0200 as excerpted:
> I missed this announcement, looking specifically for composer again. > > If I make the effort of bumping to newest version, is this something > that would be re-added to the tree? > > I note there were active security vulnerabilities under very specific > conditions (composer.phar is exposed via http). > > Or should I rather just deploy this into a local overlay? [Tree or local overlay?] You seem to have missed the obvious middle option, deploying to a public overlay. If there's many related packages (another reply mentioned a bunch of deps; not being a PHP person I wouldn't know...) that might most appropriately be a dedicated overlay. For single packages, particularly if there's likely to be others interested, the guru overlay seems to be quite popular as a middle ground, allowing multiple people to help without the full bureaucracy of the main tree. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
