Added post about new download-vendor system CLI command

diff --git a/content/blog/2025/bookstack-in-2024.md b/content/blog/2025/bookstack-in-2024.md
index 4402ab2d5a8857500d3045426803828fbcb2de08..471b2e0dfa512fd449959de51f4d10a594b820be 100644 (file)
--- a/content/blog/2025/bookstack-in-2024.md
+++ b/content/blog/2025/bookstack-in-2024.md
@@ -140,4 +140,4 @@ Tim, randi65535, Script, B1t5murf, ibanez450, root-node and thedoctor0814 are ex
 
 ---
   
-<span style="font-size: 0.8em;opacity:0.8;">Header Image Credits: &nbsp;<span>Photo by <a href="https://commons.wikimedia.org/wiki/File:001_Wild_Golden_Eagle_and_Majinghorn_Pfyn-Finges_Photo_by_Giles_Laurent.jpg">Giles Laurent (CC-BY-4)</a> - Image Modified</span></span>
\ No newline at end of file
+<span style="font-size: 0.8em;opacity:0.8;">Header Image Credits: &nbsp;<span>Photo by <a href="https://commons.wikimedia.org/wiki/File:001_Wild_Golden_Eagle_and_Majinghorn_Pfyn-Finges_Photo_by_Giles_Laurent.jpg">Giles Laurent (CC-BY-SA-4)</a> - Image Modified</span></span>

diff --git a/content/blog/2025/php-dependency-improvements.md b/content/blog/2025/php-dependency-improvements.md
new file mode 100644 (file)
index 0000000..d5171dc
--- /dev/null
+++ b/content/blog/2025/php-dependency-improvements.md
@@ -0,0 +1,73 @@
++++
+categories = ["News"]
+tags = ["News"]
+title = "Testing Better Dependency Management"
+image = "/images/blog-cover-images/cc-by-sa-4/mountain-stream-agnes-monkelbaan.jpg"
+author = "Dan Brown"
+slug = "php-dependency-improvements"
+draft = false
+date = 2025-03-17T18:00:00Z
++++
+
+Yesterday I released [BookStack v25.02.1](https://github.com/BookStackApp/BookStack/releases/tag/v25.02.1)
+which included a range of updates to [the system CLI](https://www.bookstackapp.com/docs/admin/system-cli/),
+one of which being a new command:
+
+```bash
+./bookstack-system-cli download-vendor
+```
+
+This new command will download the required PHP dependency packages for a BookStack instance, 
+and is intended to replace the existing `composer install --no-dev` install & update
+step with a more efficient system which relies on fewer external sources.
+
+The existing `composer install --no-dev` command will continue to work, and will remain the default advised
+approach until this new option has had greater testing.
+
+*Note: If you don't run our standard install steps (For example, you run via a maintained docker image) then this
+is not something you'd use yourself or need to worry about.*
+
+### How This Works
+
+As part of the BookStack release process the `vendor/` folder, which contains PHP dependencies,
+is now compressed to a ZIP archive and then uploaded to our https://files.bookstackapp.com/vendor/
+site, with the resulting ZIP file name matching the BookStack version.
+A sha256 checksum is saved as part of the core code-base to a [`dev/checksums/vendor` file](https://github.com/BookStackApp/BookStack/blob/release/dev/checksums/vendor), which is committed as part of a release.
+
+When running `./bookstack-system-cli download-vendor`, the CLI will look up to our https://files.bookstackapp.com/vendor/
+site for the ZIP of version matching the BookStack instance, download that ZIP, then verify the file against 
+the checksum stored in the code-base. If this passes, the ZIP is extracted to `vendor/` in the target BookStack
+instance, removing any existing `vendor/` directory first.
+
+The process has been designed to be fairly simple, in a way that can easily be replicated via other means
+outside of our CLI, while also ensuring a level of trust & security by performing the checksum
+against a value provided via a different source to the downloaded file.
+
+### Why This Has Been Introduced
+
+There's a few reasons as to why this process has been implemented:
+
+Firstly, it reduces requirements for a production environment.
+Right now [composer](https://getcomposer.org/) is considered a BookStack requirement,
+but this process can be used instead of composer in standard production use.
+
+Secondly, it can be a lot more efficient than the existing `composer install --no-dev` step.
+That existing method will download & extract multiple ZIP files, one for each dependency to install/update.
+This new command/process packages up all dependencies for a BookStack version within a single ZIP to download & extract.
+
+Thirdly, it reduces reliance on external services & platforms.
+The existing process via composer will download files from GitHub (Microsoft) and Codeberg (and any other repository sources that might be used in future).
+This new process only relies on a single host that's under the BookStack domain: https://files.bookstackapp.com.
+This can be particularly helpful in environments where connections to external locations are strictly controlled, and also helps avoid issues that can occur with downloading from third-party sites like rate-limiting and access filtering.
+This also works towards our wider goal of [reducing our reliance on GitHub](https://github.com/BookStackApp/BookStack/issues/4551) within the project.
+
+### Providing Feedback
+
+I welcome any feedback regarding this system [on the GitHub issue here](https://github.com/BookStackApp/BookStack/issues/5538).
+
+Once we've had some feedback, and the system is proven stable & working, I'll look to update our docs, guidance and scripts
+to use this new system by default instead of using composer.
+
+---
+  
+<span style="font-size: 0.8em;opacity:0.8;">Header Image Credits: &nbsp;<span>Photo by <a href="https://commons.wikimedia.org/wiki/File:S-charl_richting_Alp_Sesvenna._12-10-2024._(actm.)_03.jpg">Agnes Monkelbaan (CC-BY-SA-4)</a> - Image Modified</span></span>

diff --git a/static/images/blog-cover-images/cc-by-sa-4/attribution.txt b/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
index 38c0e649f8eca40ea9b8bb4c301383072433b0ea..75e75c83d35311d9ffeffc27a8c2973a458a8ee3 100644 (file)
--- a/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
+++ b/static/images/blog-cover-images/cc-by-sa-4/attribution.txt
@@ -36,4 +36,9 @@ Image modified in usage (Cropped, resized, sharpened).
 eagle-giles-laurent.jpg
 Copyright Giles Laurent
 Source: https://commons.wikimedia.org/wiki/File:001_Wild_Golden_Eagle_and_Majinghorn_Pfyn-Finges_Photo_by_Giles_Laurent.jpg
-Image modified in usage (Cropped, resized, sharpened).
\ No newline at end of file
+Image modified in usage (Cropped, resized, sharpened).
+---
+mountain-stream-agnes-monkelbaan.jpg
+Copyright Agnes Monkelbaan
+Source: https://commons.wikimedia.org/wiki/File:S-charl_richting_Alp_Sesvenna._12-10-2024._(actm.)_03.jpg
+Image modified in usage (Cropped, resized, sharpened).

diff --git a/static/images/blog-cover-images/cc-by-sa-4/mountain-stream-agnes-monkelbaan.jpg b/static/images/blog-cover-images/cc-by-sa-4/mountain-stream-agnes-monkelbaan.jpg
new file mode 100644 (file)
index 0000000..5348372
--- /dev/null
+++ b/static/images/blog-cover-images/cc-by-sa-4/mountain-stream-agnes-monkelbaan.jpg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3ed3f210d370eef13fec9344cc93d892c7c1700b02a7095acfce5258b3f09400
+size 478713