box-project/box

[BOX 4.5] Sodium and Zlib extensions are unused but referenced by requirement checker

Closed this issue · 2 comments

llaville commented

Bug report

Question Answer
Box version 4.5.0@54142dd 2023-10-22 20:16:36 UTC
PHP version 8.1.24
Platform with version Ubuntu 22.04 LTS
Github Repo https://github.com/box-project/box

Even if composer.json identify sodium extension as required, there are no uses anywhere in the BOX project.

Whatever native functions or possible polyfill (not referenced here)

Output 
$ box info box.phar

API Version: 1.1.0

Archive Compression: None
Files Compression: GZ

Signature: SHA-1
Signature Hash: 5F8F2CFF228C3B9A27FF373FAA87497A1B2EEA64

Metadata: None

Timestamp: 1698005811 (2023-10-22T20:16:51+00:00)

RequirementChecker:
 Required:
 - PHP ^8.1 (root)
 - ext-zlib (root)
 - ext-phar (root)
 - ext-sodium (root)
 - ext-tokenizer (nikic/php-parser)
 - ext-filter (phpdocumentor/reflection-docblock)

Contents: 1999 files (2.20MB)

// Use the --list|-l option to list the content of the PHAR.

Confirmed by native composer why commands :

Checking all extensions ...

composer why ext-filter
phpdocumentor/reflection-docblock 5.3.0 requires ext-filter (*)

composer why ext-tokenizer
nikic/php-parser  v4.15.2 requires ext-tokenizer (*)
theseer/tokenizer 1.2.0   requires ext-tokenizer (*)

composer why ext-sodium
humbug/box 4.x-dev requires ext-sodium (*)

Referenced only by BOX project composer.json itself !

composer why ext-phar
humbug/box       4.x-dev requires ext-phar (*)
phar-io/manifest 2.0.3   requires ext-phar (*)

composer why ext-zlib
There is no installed package depending on "ext-zlib"

Also checking with https://github.com/composer-unused/composer-unused tool

v0.8.10 Output 
Results
-------

Found 27 used, 2 unused, 1 ignored and 0 zombie packages

 Used packages
 ✓ php
 ✓ ext-iconv (suggested by: symfony/var-dumper)
 ✓ ext-mbstring
 ✓ ext-phar
 ✓ amphp/parallel-functions (https://github.com/amphp/parallel-functions)
 ✓ composer/semver (https://github.com/composer/semver)
 ✓ composer/xdebug-handler (https://github.com/composer/xdebug-handler)
 ✓ fidry/console (https://github.com/theofidry/console)
 ✓ fidry/filesystem (https://github.com/theofidry/filesystem)
 ✓ humbug/php-scoper (https://github.com/humbug/php-scoper)
 ✓ justinrainbow/json-schema (https://github.com/justinrainbow/json-schema)
 ✓ laravel/serializable-closure (https://github.com/laravel/serializable-closure)
 ✓ nikic/iter (https://github.com/nikic/iter)
 ✓ nikic/php-parser (https://github.com/nikic/PHP-Parser) (required by: humbug/php-scoper)
 ✓ paragonie/constant_time_encoding (https://github.com/paragonie/constant_time_encoding)
 ✓ phpdocumentor/reflection-docblock (https://github.com/phpDocumentor/ReflectionDocBlock)
 ✓ phpdocumentor/type-resolver (https://github.com/phpDocumentor/TypeResolver)
 ✓ psr/log (https://github.com/php-fig/log)
 ✓ sebastian/diff (https://github.com/sebastianbergmann/diff)
 ✓ seld/jsonlint (https://github.com/Seldaek/jsonlint)
 ✓ symfony/console (https://github.com/symfony/console)
 ✓ symfony/filesystem (https://github.com/symfony/filesystem)
 ✓ symfony/finder (https://github.com/symfony/finder)
 ✓ symfony/polyfill-mbstring (https://github.com/symfony/polyfill-mbstring)
 ✓ symfony/process (https://github.com/symfony/process)
 ✓ symfony/var-dumper (https://github.com/symfony/var-dumper)
 ✓ webmozart/assert (https://github.com/webmozarts/assert)

 Unused packages
 ✗ ext-sodium
 ✗ symfony/polyfill-iconv (https://github.com/symfony/polyfill-iconv)

 Ignored packages
 ○ composer-plugin-api (ignored by NamedFilter(userProvided: false, string: composer-plugin-api))

 Zombies exclusions (did not match any package)

And checking with https://github.com/llaville/php-compatinfo

v7.0.0 Output chunk 
Extensions Analysis
-------------------

   Extension  REF       EXT min/Max PHP min/Max PHP suggest
   core       core      8.1.0       8.1.0alpha1 8.0.0alpha1
   date       date      5.5.0       5.5.0
   hash       hash      1.1         4.0.0
   intl       intl      1.0.0beta   5.2.0
   json       json      1.6.0       7.3.0alpha1
   mbstring   mbstring  4.3.0       7.1.0       4.3.0
C  openssl    openssl   5.2.0       5.2.0
   pcre       pcre      4.0.0       4.0.0
   phar       phar      2.0.0a1     8.0.0alpha1
C  posix      posix     7.0.0       7.0.0beta2
   spl        spl       5.1.2       7.4.0
   standard   standard  8.0.0alpha1 7.3.0alpha4 8.0.0alpha1
   tokenizer  tokenizer 8.0.0RC4    8.0.0RC4
   Total [13]                       8.1.0alpha1
theofidry commented

Hmm I think sodium is a leftover from Pharaoh which was supporting the blake2b hashing algorithm. I still need to check if I can add it back but either way it would be an optional extension (and I think Pharaoh had the polyfill shipped).

zlib is not used directly, but necessary by the project for the GZ compression. But then that can probably be moved to require-dev

llaville commented

I confirmed that https://packagist.org/packages/paragonie/pharaoh used the sodium polyfill