How do I install npm & composer on cPanel?

Having trouble finding a clear tutorial on how to do this, and whether this should be installed globally as the root or per cPanel user. Running Linux and I have access to the Yum package manager, so should I just install per-user using yum?
29 Replies
vince
vinceOP2mo ago
For context too, I'm doing this so that we don't have to include vendor/ or node_modules/ in our git repos Okay apparently this is a bad idea anyway to run npm install and composer install in Prod... Now I have to figure out how to do an automatic build step or just include node_modules and vendor in git... I'm just going to include it in git for now
ἔρως
ἔρως2mo ago
you don't please if you want to have security holes, please just give me the password it's faster
vince
vinceOP2mo ago
I'm completely new to any devops stuff and just have no idea how I'm supposed to go about this. We have our vendor directories inside git and I'd ideally like to not include them in git as to clean up the repo / best practice... is the only recommended way to setup a build step that npm i / composer install and then have that step automatically upload the files to the prod directory in the server? Why's this a security issue?
ἔρως
ἔρως2mo ago
it literally can install and execute any code any possible attacker could want
vince
vinceOP2mo ago
But wouldn't they need access to the server first to actually do that?
ἔρως
ἔρως2mo ago
if, somewhere, you have a vulnerability that lets run a single command, having composer can let attackers install malicious libraries and backdoors and you make it super easy or, better yet, if you leave the composer.php, it's easier to do that
vince
vinceOP2mo ago
So is the only recommended way to setup an automatic build step like I described above?
ἔρως
ἔρως2mo ago
to use a build docker image one for composer, one for node
vince
vinceOP2mo ago
We're using ddev which is a way to builder docker images for php environments, previously we included that in the git repo too but I removed it, should I just include that again? I really would rather not include these generated files if I don't have to - it adds onto the repo when we don't need to
ἔρως
ἔρως2mo ago
that's up to you but you don't need to, if it just saves into the server
vince
vinceOP2mo ago
Okay, so I guess in plain english what should my steps look like? What do I actually need to do? I'm so new to docker / anything like this I really just have no clue what I'm doing
ἔρως
ἔρως2mo ago
do you use githug or gitlab?
vince
vinceOP2mo ago
We use github
ἔρως
ἔρως2mo ago
use pre-existing github actions
vince
vinceOP2mo ago
Got it, I figured that might be the case. What would our github actions actually look like then? Just something like 1. npm i, composer install 2. upload files to prod environment 3. done ???
ἔρως
ἔρως2mo ago
basically, yes
vince
vinceOP2mo ago
I know it's more in-depth than that, just high level overview Okay damn. Thanks epic. Really was hoping there was an easier way. The github actions is just a lot of setup that I don't have time for right now so this will be a 3 months into the future type thing
ἔρως
ἔρως2mo ago
you can build locally and shove it all into the server after
vince
vinceOP2mo ago
I actually tried getting this automatic build step setup in the beginning of the year but I never have time for it 😅 Yea that's what we're doing we just upload it to github and then pull down in the server
ἔρως
ἔρως2mo ago
but you need to be careful with composer, as composer may be running in a different php version than the one you have in the server
vince
vinceOP2mo ago
That's so funny
vince
vinceOP2mo ago
No description
ἔρως
ἔρως2mo ago
🤣 told you
vince
vinceOP2mo ago
Thankfully I've been through this issue a couple times so I can fix it
ἔρως
ἔρως2mo ago
you can say which php version you have, and composer will do everything for that version
vince
vinceOP2mo ago
That took me wayyyy too long to finally get this staging site up. Go figure, I try to make the process better and end up making a whole mess for myself, only to arrive at the point I started at Epic, do you recommend keeping the staging site as staging.domain.com? Or should it be something separate like staging.random-domain.com? We have some staging domains inside our company domain rather than on the client's domain, and I feel like that's kind of silly - but I can see from a 'obfuscation' perspective why it was probably done I'd rather just keep it on the client's domain. We don't have basic http auth setup so if you just type it in you'll see the staging but I don't think that'll be that big of a deal?
ἔρως
ἔρως2mo ago
i recommend it to not be accessible outside your company whatever domain name you pick, doesn't matter
vince
vinceOP2mo ago
ty!!
ἔρως
ἔρως2mo ago
you're welcome it's extremely important that it isn't accessible outside the company not only because you have an unfinished version, but because that unfinished version can be vulnerable to bugs and that just cracks open everything to the attacker
Want results from more Discord servers?
Add your server