public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Docs fixes 

Co-Authored-By: Nils Adermann <naderman@naderman.de>
pull/8755/head
Jordi Boggiano 2020-04-09 14:01:05 +02:00 committed by GitHub
parent b6bad4eef6
commit 059c009179
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/05-repositories.md
View File

@ -50,7 +50,7 @@ defined in your dependencies will not be loaded. Read the
want to learn why.
When resolving dependencies, packages are looked up from repositories from
top to bottom, and by default as soon as a package is found in one Composer
top to bottom, and by default, as soon as a package is found in one, Composer
stops looking in other repositories. Read the
[repository priorities](articles/repository-priorities.md) article for more
details and to see how to change this behavior.

15
doc/articles/repository-priorities.md
View File

@ -6,7 +6,7 @@
## Canonical repositories
When Composer resolves dependencies it will look up a given package in the
When Composer resolves dependencies, it will look up a given package in the
topmost repository. If that repository does not contain the package, it
goes on to the next one, until one repository contains it and the process ends.
@ -15,12 +15,13 @@ Canonical repositories are better for a few reasons:
- Performance wise, it is more efficient to stop looking for a package once it
has been found somewhere. It also avoids loading duplicate packages in case
the same package is present in several of your repositories.
- Security wise, it is safer to treat them canonically as it means that your most
important repositories will return the packages you expect them to always. Let's
- Security wise, it is safer to treat them canonically as it means that packages you
expect to come from your most important repositories will never be loaded from
another repository instad. Let's
say you have a private repository which is not canonical, and you require your
private package `foo/bar ^2.0` for example. Now if someone publishes
`foo/bar 2.999` to packagist.org, suddenly Composer will pick that package as it
has a higher version than your latest release (say 2.4.3), and you end up install
has a higher version than your latest release (say 2.4.3), and you end up installing
something you may not have meant to. If the private repository is canonical
however, that 2.999 version from packagist.org will not be considered at all.
@ -58,9 +59,9 @@ contains a given package.
## Filtering packages
You can also filter packages which a repository will be able to load, either by
selecting which you want, or by excluding those you do not want.
selecting which ones you want, or by excluding those you do not want.
For example here we want to pick only the `foo/bar` and all the packages from
For example here we want to pick only the package `foo/bar` and all the packages from
`some-vendor/` from this composer repository.
```json
@ -90,5 +91,5 @@ we may not want to load in this project.
}
```
Both `only` and `exclude` should be array of package names, which can also
Both `only` and `exclude` should be arrays of package names, which can also
contain wildcards (`*`) which will match any characters.