---
title: Composer包来源与composer.lock完整性治理(Packagist-哈希-PHP版本)最佳实践
keywords:
- Composer
- Packagist
- composer.lock
- 哈希
- PHP版本
description: 校验 composer.lock 中依赖的来源与哈希、PHP版本约束与来源白名单,阻断不合规与投毒包进入环境。
categories:
- 文章资讯
- 技术教程
---
实现示例
type ComposerPkg = { name: string; version: string; dist?: { url: string; shasum?: string }; source?: { url: string }; require?: { php?: string } }
const allowHosts = new Set<string>(['packagist.org','repo.packagist.org','github.com'])
function hex40(h?: string): boolean { return !!h && /^[A-Fa-f0-9]{40}$/.test(h) }
function validUrl(u?: string): boolean { if (!u) return false; try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } }
function semverReqValid(r?: string): boolean { return !!r && /^(\^|~)?\d+\.\d+\.\d+$/.test(r) }
function evaluate(list: ComposerPkg[], envPhp: string): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const p of list) {
if (!p.name || !p.version) errors.push(`id:${p.name}`)
if (p.dist && (!validUrl(p.dist.url) || (!hex40(p.dist.shasum) && p.dist.shasum !== undefined))) errors.push(`dist:${p.name}`)
if (p.source && !validUrl(p.source.url)) errors.push(`source:${p.name}`)
if (p.require?.php && !semverReqValid(p.require.php)) errors.push(`php:${p.name}`)
}
return { ok: errors.length === 0, errors }
}
审计与运行治理
- 审计来源域与哈希及 PHP 约束;不合规阻断并回退到可信来源。
- 变更需审批与记录,支持快速回溯。
发表评论 取消回复