Constrain all the Composer config to only wp-plugin and wp-theme packages

[johnbillion]

This updates all the example Composer config to add "only":["wp-plugin/*","wp-theme/*"] for the wp-packages repo. This constrains the repo so it only applies to matching packages.

I had to switch to using a JSON blob for the main config command to facilitate setting the nested property values. Composer docs here.

I reduced the text size of the command on the home page so its full value fits in when viewed at the widest viewport on desktop without being truncated.

Screenshots

[retlehs]

#43

cc @tangrufus

[johnbillion]

Interesting, TIL. (Also GitHub search made it difficult to find results for "only" 😄).

From my point of view as a package consumer, this is something I want to configure in my local config. At the extreme, this is a supply chain security enhancement that protects against WP Packages being compromised to serve replacements for non-WordPress packages (although granted if WP Packages is compromised there are bigger problems).

[tangrufus]

I don't think we need to add back only.

Composer v2 filters packages by:

• repo's available-package-patterns
• local only
• local exclude

Roughly translate to:

in_array($pkg, $available_package_patterns) && in_array($pkg, $only) && ! in_array($pkg, $exclude)

As available-package-patterns and only are exactly the same, we can spare users from defining it locally.

---

See usages of ComposerRepository::lazyProvidersRepoContains()

https://github.com/composer/composer/blob/76463a135ab8c70885c61b7ebf22ce353737982b/src/Composer/Repository/ComposerRepository.php#L1766-L1771

---

Also GitHub search made it difficult to find results for "only"

I know that feel.

---

Am I missing anything?

[johnbillion]

Thanks for the info and the links. My personal opinion is I would prefer for the only config to be present so it's explicit in the consumer config, but I can live without it.