Chapters

18 Chapters | 1:50:35 | 0%

01

Creating a new Symfony 5 Project

Challenge 1.1: unanswered

6:05
02

Meet our Tiny App + PhpStorm Setup

Challenge 2.1: unanswered

Challenge 2.2: unanswered

5:30
03

Route, Controllers & Responses!

Challenge 3.1: unanswered

5:56
04

Annotation & Wildcard Routes

Challenge 4.1: unanswered

6:10
05

The Lovely bin/console Tool

Challenge 5.1: unanswered

2:42
06

Flex, Recipes & Aliases

Challenge 6.1: unanswered

Challenge 6.2: unanswered

6:26
07

How Recipes Work

3:06
08

The Twig Recipe

Challenge 8.1: unanswered

Challenge 8.2: unanswered

3:46
09

Twig ❤️

Challenge 9.1: unanswered

Challenge 9.2: unanswered

Challenge 9.3: unanswered

10:14
10

Profiler: Your Debugging Best Friend

Challenge 10.1: unanswered

Challenge 10.2: unanswered

6:46
11

Assets: CSS, Images, etc

Challenge 11.1: unanswered

9:58
12

Generate URLs

Challenge 12.1: unanswered

5:11
13

JSON API Endpoint

Challenge 13.1: unanswered

6:29
14

JavaScript, AJAX & the Profiler

Challenge 14.1: unanswered

7:12
15

Smart Routes: POST-only & Validate {Wildcards}

Challenge 15.1: unanswered

4:04
16

Service Objects

Challenge 16.1: unanswered

8:25
17

Hello Webpack Encore

4:05
18

Webpack Encore: JavaScript Greatness

Challenge 18.1: unanswered

8:30

This tutorial has a new version, check it out!

> Symfony 5 > Charming Development in Symfony 5

06.

Flex, Recipes & Aliases

Autoplay

Previous Challenge

Next Challenge

We're going to install a totally new package into our app called the "security checker". The security checker is a tool that looks at your application's dependencies and tell you if any of them have known security vulnerabilities. But, full disclosure, as cool as that is... the real reason I want to install this library is because it's a great way to look at Symfony's all-important "recipe" system.

At your terminal, run:

composer require sec-checker --no-scripts

Tip

You can still download the security checker to see how its recipe works, but the API it uses has been discontinued in favor of other solutions. If you want to know more, see https://github.com/sensiolabs/security-checker

In a real app, you should probably pass --dev to add this to your dev dependencies... but it won't matter for us.

Flex Aliases

There is, however, something weird here. Specifically... sec-checker is not a valid package name! In the Composer world, every package must be something/something-else: it can't just be sec-checker. So what the heck is going on?

Back in PhpStorm, open up composer.json. When we started the project, we had just a few dependencies in this file. One of them is symfony/flex.

            Copy Code

                            Show All Lines

                        69 lines
            |
            composer.json
        
            {
        
                Show Lines

                                                    // ... lines 2 - 3
                            
                "require": {
        
                    "php": "^7.2.5",
        
                    "ext-ctype": "*",
        
                    "ext-iconv": "*",
        
                    "sensio/framework-extra-bundle": "^5.5",
        
                    "sensiolabs/security-checker": "^6.0",
        
                    "symfony/console": "5.0.*",
        
                    "symfony/dotenv": "5.0.*",
        
                    "symfony/flex": "^1.3.1",
        
                    "symfony/framework-bundle": "5.0.*",
        
                    "symfony/yaml": "5.0.*"
        
                },
        
                Show Lines

                                                    // ... lines 16 - 67
                            
            }

This is a composer plugin that adds two special features to Composer itself. The first is called "aliases".

At your browser, go to http://flex.symfony.com to find and big page full of packages.

Tip

The flex.symfony.com server was shut down in favor of a new system. But you can still see a list of all of the available recipes at https://bit.ly/flex-recipes!

Search for security. Better, search for sec-checker. Boom! This says that there is a package called sensiolabs/security-checker and it has aliases of sec-check, sec-checker, security-checker and some more.

The alias system is simple: because Symfony Flex is in our app, we can say composer require security-checker, and it will really download sensiolabs/security-checker.

You can see this in our terminal: we said sec-checker, but ultimately it downloaded sensiolabs/security-checker. That's also what Composer added to our composer.json file. So... aliases are just a nice shortcut feature... but it's kinda cool! You can almost guess an alias when you want to install something. Want a logger? Run composer require logger to get the recommended logger. Need to mail something? composer require mailer. Need to eat a cake? composer require cake!

Flex Recipes

The second feature that Flex adds to Composer is the really important one. It's the recipe system.

Back at the terminal, after installing the package, it said:

Symfony operations: 1 recipe configuring sensiolabs/security-checker.

Interesting. Run:

git status

Whoa! We expected composer.json and composer.lock to be modified... that's how composer works. But something also modified a symfony.lock file... and added a totally new security_checker.yaml file!

Ok, first, symfony.lock is a file that's managed by Flex. You don't need to worry about it, but you should commit it. It keeps a big list of which recipes have been installed.

So, who created the other file? Open it up: config/packages/security_checker.yaml.

            Copy Code

                        9 lines
            |
            config/packages/security_checker.yaml
        
            services:
        
                _defaults:
        
                    autowire: true
        
                    autoconfigure: true
        
                SensioLabs\Security\SecurityChecker: null
        
                SensioLabs\Security\Command\SecurityCheckerCommand: null

Each package you install may have a Flex "recipe". The idea is beautifully simple. Instead of telling people to install a package and then create this file, and update this other file in order to get things working, Flex executes a recipe which... just does that stuff for you! This file was added by the sensiolabs/security-checker recipe!

You don't need to worry about the specifics of what's inside this file right now. The point is, thanks to this file, we have a new bin/console command. Run:

php bin/console

See that security:check command? That wasn't there a second ago. It's there now thanks to the new YAML file. Try it:

php bin/console security:check

No packages have known vulnerabilities! Awesome!

How Recipes Work

Here is the big picture: thanks to the recipe system, whenever you install a package, Flex will check to see if that package has a recipe and, if it does, will install it. A recipe can do many things, like add files, create directories or even modify a few files, like adding new lines to your .gitignore file.

The recipe system is a game-changer. I love it because anytime I need a new package, all I need to do is install it. I don't need to add configuration files or modify anything because the recipe automates all that boring work.

Recipes can Modify Files

In fact, this recipe did something else we didn't notice. At the terminal, run:

git diff composer.json

We expected that Composer would add this new line to the require section. But there is also a new line under the scripts section. That was done by the recipe.

            Copy Code

                            Show All Lines

                        69 lines
            |
            composer.json
        
            {
        
                Show Lines

                                                    // ... lines 2 - 3
                            
                "require": {
        
                Show Lines

                                                    // ... lines 5 - 8
                            
                    "sensiolabs/security-checker": "^6.0",
        
                Show Lines

                                                    // ... lines 10 - 14
                            
                },
        
                Show Lines

                                                    // ... lines 16 - 45
                            
                "scripts": {
        
                    "auto-scripts": {
        
                Show Lines

                                                    // ... lines 48 - 49
                            
                        "security-checker security:check": "script"
        
                    },
        
                Show Lines

                                                    // ... lines 52 - 57
                            
                },
        
                Show Lines

                                                    // ... lines 59 - 67
                            
            }

Thanks to this, whenever you run composer install after it finishes, it automatically runs the security checker.

Tip

Running composer install will fail with 403 API error. It's ok, we will remove security checker in the next chapter so it won't be an issue. If you want to know more, see https://github.com/sensiolabs/security-checker

The point is: to use the security checker, the only thing we needed to do was... install it. Its recipe took care of the rest of the setup.

Now... if you're wondering:

Hey! Where the heck does this recipe live? Can I see it?

That's a great question! Let's find out where these recipes live and what they look like next.

40 Comments

Sort By

Brentspine 1 year ago

You can find recipe aliases now under https://bit.ly/flex-recipes

1 | Reply |

MolloKhan SFCASTS Brentspine 1 year ago

Thank you for sharing it. We'll add a note about it

1 | Reply |

Soufiyane 2 years ago

please i have a problem, when i execute php bin\console security:check i get this errors

In ErrorChunk.php line 65:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

In CurlResponse.php line 335:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [--] [<lockfile>]

1 | Reply |

Soufiyane Soufiyane 2 years ago

is it something i should worry about ? or can i just move to the other videos ? i'm using symfony 5.4

| Reply |

Victor SFCASTS Soufiyane 2 years ago

Hey SouFiane,

Yes, that's OK... because that way is deprecated now. You should use other ways for checking the security of your project, look at this comment for alternative ways: https://symfonycasts.com/sc...

Let us know if you still have any problems with following this tutorial further!

Cheers!

| Reply |

Melanie 4 years ago edited

Hi, i have a probleme,when i make php bin/console security:check, sometime the command works and sometime no.
What can i do ?


D:\web_server_dev3\Apache24\htdocs\projet_test (master) 

[0;33mSymfony Security Check Report[0m
[0;33m=============================[0m

[0;37;42mNo packages have known vulnerabilities.[0m

D:\web_server_dev3\Apache24\htdocs\projet_test (master)

λ php bin/console security:check


In ErrorChunk.php line 65:

  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


In NativeResponse.php line 115:

  fopen(): SSL operation failed with code 1. OpenSSL Error messages:
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [-e|--env ENV] [--no-debug] [--] <command> [<lockfile>]

1 | Reply |

Victor SFCASTS Melanie 4 years ago

Hey Melanie,

I'd recommend you to use "symfony security:check" command instead of doing it via "bin/console". This way you can drop this security checker from your project dependencies completely and use standalone one from symfony binary.

Though, it probably may not fix the problem for you. The error you showed looks like a network problem... Do you have any proxy configured on your computer? Do you have good internet connection when this error happens? If you don't have any proxy and your internet connection is good - probably my guess is that it might be on Symfony side, hopefully something temporary as it sounds like a randomly failed connection for you.

Anyway, try to use "symfony security:check" and look closer if this failed with the similar error and when it fails.

I hope this helps!

Cheers!

2 | Reply |

Soufiyane Victor 2 years ago

this helps a lot <333

| Reply |

Victor SFCASTS Soufiyane 2 years ago

Hey SouFiane,

Awesome! Thanks for letting us know it was useful for you!

Cheers!

| Reply |

Titanism 2 years ago

How do I download security checker when flex.symfony.com does not exist anymore and the security checker GitHub is read-only?

| Reply |

MolloKhan SFCASTS Titanism 2 years ago

Hey Titanism,

In short, you can't :) - That library it's fully deprecated, but it's now integrated into the Symfony CLI. You only need to run symfony security:check

Cheers!

1 | Reply |

Mohammadmahdi M. 2 years ago

hi i installed the sec checker but security_checker.yaml didn't add automatilcy

i'm using symfony 5.4

| Reply |

weaverryan SFCASTS Mohammadmahdi M. 2 years ago edited

Hi Mohammadmahdi M.!

Don't worry about it :). A few years ago, that package was deprecated and its recipe was removed - we have a note about it near the top of the script (and in the video): https://symfonycasts.com/sc....

So, you're not doing anything wrong - but this package is no longer a good example of seeing a recipe in action.

Cheers!

| Reply |

Soufiyane 2 years ago

nice course, now let's go to the next one <3 greate teaching skills as well very talented persone

| Reply |

Morty 3 years ago

the flex server is going to shutdown so you have to install sec-checker it via git if I did understand that right. Maybe you can update it in your video. Cheers

| Reply |

MolloKhan SFCASTS Morty 3 years ago

Hey @Morty,

Yes, you're right about the Flex server going to shutdown but you don't have to install the sec-checker library (it's deprecated, actually). You can check for vulnerabilities by using the Symfony CLI or this other tool https://github.com/fabpot/l...

Cheers!

| Reply |

Beginner 3 years ago

Wow, Symfonycasts website seems to be like Laracasts, but instead we could learn Symfony. That's amazing and I hope there will be more free content.

| Reply |

Victor SFCASTS Beginner 3 years ago

Hey Beginner,

Yes, SymfonyCasts content is more Symfony-related when Laracasts one is more Laravel related :) Though Laravel uses a lot of Symfony components behind the scene, you can see it in Composer dependencies list, so learning Symfony you will kinda cover both Symfony and Laravel ;)

About the free content - we do have some free courses from time to time, also every few videos on *every* course are typically free! :) So you can start with any tutorial for free to decide if you want to buy access to finish the course or no. We also have some discounted offers for students, so if you're an active student - contact us directly via contact form: https://symfonycasts.com/co... . And it's important to mention that even if some videos are behind of paywall on SymfonyCasts, you still can learn with us for free reading the scripts below the video. Scripts are exactly the text we're talking in the video, and thankfully to our dynamic code blocks you can literally see the actual code we use in the video :)

I hope this helps and happy Symfony learning!

Cheers!

1 | Reply |

Игорь П. 3 years ago

I've got a version problem here (I am using symphony 6.0 right now)

Z:\htdocs\symphony\test_project>composer require sec-checker --no-scripts
Using version ^6.0 for sensiolabs/security-checker
./composer.json has been updated
Running composer update sensiolabs/security-checker
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.0.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1
- sensiolabs/security-checker[v6.0.0, ..., v6.0.2] require symfony/console ^2.8|^3.4|^4.2 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4
.47, v4.2.0, ..., v4.4.34] but it conflicts with your root composer.json require (6.0.*).
- sensiolabs/security-checker v6.0.3 requires symfony/console ^2.8|^3.4|^4.2|^5.0 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4.47, v4.
2.0, ..., v4.4.34, v5.0.0, ..., v5.4.0] but it conflicts with your root composer.json require (6.0.*).
- Root composer.json requires sensiolabs/security-checker ^6.0 -> satisfiable by sensiolabs/security-checker[v6.0.0, v6.0.1, v6.0.2, v6.0.3].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require sensiolabs/security-checker:*" to figure out if any v
ersion is installable, or "composer require sensiolabs/security-checker:^2.1" if you know which you need.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

| Reply |

Игорь П. Игорь П. 3 years ago

Because of https://packagist.org/packa... this module is abandoned it looks like this video should be re new?

| Reply |

sadikoff SFCASTS Игорь П. 3 years ago

I'd like to suggest just ignore this security checker stuff, because you are using Symfony 6... but also I want to warn you about more issues because of Symfony version, because this course is designed for Symfony 5

BTW if you are interested in security checks you will need to use Symfony CLI for it =)

Cheers!

1 | Reply |

Leon 3 years ago

mike@mike:~/dev/symfony/cauldron_overflow$ php bin/console security:check

The web service failed for an unknown reason (HTTP 403).

| Reply |

Victor SFCASTS Leon 3 years ago

Hey Mike,

Yeah, that's because the sensiolabs/security-checker is not maintained anymore, you can find more info about this here: https://github.com/sensiola... . As you can see, there're a few other options instead: you can use Symfony CLI for checking security vulnerabilities or use this library https://github.com/fabpot/l... .

Cheers!

2 | Reply |

Jose C. 3 years ago edited

Hi guys, i run the command "composer require sec-checker" but the security-checker script didn't execute, the result was this, how can i run that script? Thanks <blockquote>Installing dependencies from lock file (including require-dev) Verifying lock file contents can be installed on current platform. Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run composer update or composer update <package name>. Nothing to install, update or remove Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/local-php-security-checker instead. Generating optimized autoload files 34 packages you are using are looking for funding. Use the composer fund` command to find out more!

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]</blockquote>error after run the "php bin/console security:check" command <blockquote>The web service failed for an unknown reason (HTTP 403)</blockquote></blockquote>error after run the "php bin/console security" command
<blockquote>Command "security" is not defined.</blockquote>

After run "symfony security:check" command
<blockquote>`Symfony Security Check Report
=============================

No packages have known vulnerabilities.`
</blockquote>The composer.json file hasn't in auto-scripts section the line "security-checker security:check" : "script"

| Reply |

Victor SFCASTS Jose C. 3 years ago

Hey Jose,

The "sec-checker" alias is pointing to "sensiolabs/security-checker" package that is already deprecated: https://packagist.org/packa... - and so it may not work as expected because it's not maintained anymore.

Here's the replacement that's recommended to be used instead: https://github.com/fabpot/l...

Or, you can check this with "symfony security:check" that is a valid way of doing this check.

I hope this helps!

Cheers!

| Reply |

Norris M. 4 years ago

Hi. I was trying to get the security checker but I got this instead "Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead." how to do I get local-php-security-checker instead?

| Reply |

MolloKhan SFCASTS Norris M. 4 years ago edited

Hey Norris M.

You can do what Dutta said, or install Symfony CLI and run this command symfony security:check

Cheers!

3 | Reply |

Norris M. MolloKhan 4 years ago edited

MolloKhan Thanks mate!

1 | Reply |

Deeptonabho D. Norris M. 4 years ago

Download any of the executable files from the git repo (https://github.com/fabpot/l..., save it in your project dir, and run it from the terminal

2 | Reply |

Hawraa A. Deeptonabho D. 3 years ago

how to use the files above? what should I copy and where I should paste? and how to run it in the terminal?

| Reply |

sadikoff SFCASTS Hawraa A. 3 years ago edited

Hey Hawraa A.

You can find all exact instructions here https://github.com/fabpot/l...

Cheers!

| Reply |

Norris M. Deeptonabho D. 4 years ago edited

Thanks Deeptonabho D. It worked.

| Reply |

Tanguy D. 4 years ago edited

Hi guys, I have a problem when trying to install security checker. Can you help me understand what I did wrong ?

Symfony operations: 1 recipe (b05abf754e48fa4ce00d852015c44e45)

Configuring sensiolabs/security-checker (>=4.0): From github.com/symfony/recipes:master
Executing script cache:clear [OK]
Executing script assets:install public [OK]
Executing script security-checker security:check [KO]
[KO]
Script security-checker security:check returned with error code 1
!! Symfony Security Check Report
!! =============================
!!
!! 1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.1.4)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
!!
!! Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
!! Execute this command regularly to check the newly discovered vulnerabilities.
!!
Script @auto-scripts was called via post-update-cmd

Installation failed, reverting ./composer.json to its original content.

| Reply |

MolloKhan SFCASTS Tanguy D. 4 years ago edited

Hey Tanguy D.

You did nothing wrong, that's the Security checker telling you that a library has a vulnerability. Please read this other comment for a better explanation https://symfonycasts.com/sc...

Cheers!

1 | Reply |

Tanguy D. MolloKhan 4 years ago

Thank you

| Reply |

Tanguy D. Tanguy D. 4 years ago edited

Using composer update solved the issue but can you try to explain to me what happens exactly ?

| Reply |

Bertin 5 years ago

Is it possible to create an own recipe and also is there an option to use an private flex recipe server.

| Reply |

MolloKhan SFCASTS Bertin 5 years ago edited

Hey Bertin

Yes, you can create your own recipes for your own bundles/projects. And about also is there an option to use an private flex recipe server. I don't fully understand what you mean with "private flex server"

Cheers!

| Reply |

Bertin MolloKhan 5 years ago

With private flex server i mean something like private packagist so its only vissbily for me

| Reply |

MolloKhan SFCASTS Bertin 5 years ago

Yes, you can have your own "private" bundles but I'm not sure if you can add private recipes to Flex. I think you should ask that question directly to them because in theory, recipes works with public packages. Here is the link to the Flex recipes project https://github.com/symfony/...

Cheers!

| Reply |

This tutorial also works great for Symfony 6!

Symfony 5.0

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.3.0 || ^8.0.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "easycorp/easy-log-handler": "^1.0.7", // v1.0.9
        "sensio/framework-extra-bundle": "^6.0", // v6.2.1
        "symfony/asset": "5.0.*", // v5.0.11
        "symfony/console": "5.0.*", // v5.0.11
        "symfony/debug-bundle": "5.0.*", // v5.0.11
        "symfony/dotenv": "5.0.*", // v5.0.11
        "symfony/flex": "^1.3.1", // v1.21.6
        "symfony/framework-bundle": "5.0.*", // v5.0.11
        "symfony/monolog-bundle": "^3.0", // v3.5.0
        "symfony/profiler-pack": "*", // v1.0.5
        "symfony/routing": "5.1.*", // v5.1.11
        "symfony/twig-pack": "^1.0", // v1.0.1
        "symfony/var-dumper": "5.0.*", // v5.0.11
        "symfony/webpack-encore-bundle": "^1.7", // v1.8.0
        "symfony/yaml": "5.0.*" // v5.0.11
    },
    "require-dev": {
        "symfony/profiler-pack": "^1.0" // v1.0.5
    }
}

Previous Challenge

Next Challenge

2 days ago

4 days ago

5 days ago

18 days ago

24 days ago

Flex, Recipes & Aliases

Share this awesome video!

Flex Aliases

Flex Recipes

How Recipes Work

Recipes can Modify Files

40 Comments

Delete comment?

What PHP libraries does this tutorial use?

	{
Show Lines	// ... lines 2 - 3
	"require": {
	"php": "^7.2.5",
	"ext-ctype": "*",
	"ext-iconv": "*",
	"sensio/framework-extra-bundle": "^5.5",
	"sensiolabs/security-checker": "^6.0",
	"symfony/console": "5.0.*",
	"symfony/dotenv": "5.0.*",
	"symfony/flex": "^1.3.1",
	"symfony/framework-bundle": "5.0.*",
	"symfony/yaml": "5.0.*"
	},
Show Lines	// ... lines 16 - 67
	}

	services:
	_defaults:
	autowire: true
	autoconfigure: true

	SensioLabs\Security\SecurityChecker: null

	SensioLabs\Security\Command\SecurityCheckerCommand: null