I believe there's a use case for extension- or package- provided extenders that should run as soon as the package is installed, no matter if the package is an extension (enabled or disabled) or just a regular package.
- An extension wants to show additional information on its disabled extension page
- An extension wants to run custom logic before it gets enabled (lifecycle extenders run too late to impact Flarum application boot)
- Provide hidden extensions/extenders on a managed forum service through Composer package that can be updated independently (whereas root
My suggestion is to create something similar to Laravel's package discovery https://laravel.com/docs/9.x/packages#package-discovery , except it would give paths to
extend.php files that Flarum should load.
Using a new
composer.json key is probably the best for performance, as Flarum would otherwise need to scan every package folder for a file with a specific filename. And if we allow regular non-extension packages to use this feature, there could easily be thousands of packages. Reading from
composer.json means a single read operation (already done by the extension manager) + one
require operation for every file found.
I see mostly 2 areas of concern:
Stability: auto-loading extenders means that if an extender is breaking your forum, you can't just disable the extension, you have to uninstall it entirely. But since this is quite rare and that we have strengthened Flarum's boot against fatal errors, I don't think it's a bigger deal to uninstall a package versus going into the database to manually disable an extension in the JSON array.
Security: if any package can auto-load code, this increases the number of entry points for malicious code. I don't think it's a big deal though because packages already have lots of way to compromise a server (through their own library code when called, through Composer hooks, ... EDIT: and Composer autoload files / src map of course!)
If we believe this is too risky for general extensions, we could maybe have this behind a
config.php setting, that would allow customized Flarum installs/hostings to enable this feature with their private Composer-compatible packages?