October: Why does octobercms come with so much bloatware? where's the 'back to basics' concept

Created on 2 Feb 2017  路  3Comments  路  Source: octobercms/october
Expected behavior

Smallest deployment possible after choosing the minimal install.

Actual behavior

The octobercms installer (despite the basic install with no theme and no plugins) installs a LOT of libraries (34MB) and even EXTRA framework (symfony) into the vendor directory:

octobercms/vendor# du -sh *

4.0K autoload.php
36K bin
92K classpreloader
588K composer
272K danielstjules
40K dnoegel
3.2M doctrine
604K erusev
156K jakub-onderka
280K jenssegers
108K jeremeamia
632K kriswallsmith
4.0M laravel
360K leafo
396K league
28K linkorb
1.1M monolog
152K mtdowling
372K nesbot
2.5M nikic
2.0M october
508K oyejorge
132K paragonie
72K psr
1020K psy
2.6M swiftmailer
8.4M symfony
3.6M twig
40K vlucas
104K wikimedia

Not to mention that these increase the attack surface and might leak via web server config on some installs as octobercms does not use PUBLIC dir.

Reproduce steps

Use the official installer and watch vendor directory grow thick...

October build

latest

Question
Source
picture SeekAndPwn
👎3

Most helpful comment

The back to basics refers to the development process for October, which is quite nice to work with as a developer. If you really want to go 'back to basics' in the sense of no dependencies, then you can just put index.php on your server and call it a day.

While it's true that the default October installation takes a blacklist approach to security (everything's controlled via .htaccess), it also provides options for those more concerned that would like a higher piece of mind that a whitelisting approach provides. Simply run php artisan october:mirror public --relative on your October project directory and watch as it creates a symlinked public folder for a whitelisting approach to request security.

picture LukeTowers on 2 Feb 2017
👍3

All 3 comments

The back to basics refers to the development process for October, which is quite nice to work with as a developer. If you really want to go 'back to basics' in the sense of no dependencies, then you can just put index.php on your server and call it a day.

While it's true that the default October installation takes a blacklist approach to security (everything's controlled via .htaccess), it also provides options for those more concerned that would like a higher piece of mind that a whitelisting approach provides. Simply run php artisan october:mirror public --relative on your October project directory and watch as it creates a symlinked public folder for a whitelisting approach to request security.

LukeTowers picture LukeTowers on 2 Feb 2017
👍3

The vendor folder's size is mostly Laravel, the foundation framework. Laravel uses some Symfony components. Read the documentation on using a public folder.

daftspunk picture daftspunk on 2 Feb 2017

Closing due to no further discussion popping up

LukeTowers picture LukeTowers on 22 Mar 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pavelmgn picture pavelmgn  路  3Comments
atrauzzi picture atrauzzi  路  3Comments
Flynsarmy picture Flynsarmy  路  3Comments
ChVuagniaux picture ChVuagniaux  路  3Comments
lukaszbanas-extremecoding picture lukaszbanas-extremecoding  路  3Comments