Composer包来源与composer.lock完整性治理（Packagist-哈希-PHP版本）最佳实践

**实现示例** ```ts type ComposerPkg = { name: string; version: string; dist?: { url: string; shasum?: string }; source?: { url: string }; require?: { php?: string } } const allowHosts = new Set(['packagist.org','repo.packagist.org','github.com']) function hex40(h?: string): boolean { return !!h && /^[A-Fa-f0-9]{40}$/.test(h) } function validUrl(u?: string): boolean { if (!u) return false; try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } } function semverReqValid(r?: string): boolean { return !!r && /^(\^|~)?\d+\.\d+\.\d+$/.test(r) } function evaluate(list: ComposerPkg[], envPhp: string): { ok: boolean; errors: string[] } { const errors: string[] = [] for (const p of list) { if (!p.name || !p.version) errors.push(`id:${p.name}`) if (p.dist && (!validUrl(p.dist.url) || (!hex40(p.dist.shasum) && p.dist.shasum !== undefined))) errors.push(`dist:${p.name}`) if (p.source && !validUrl(p.source.url)) errors.push(`source:${p.name}`) if (p.require?.php && !semverReqValid(p.require.php)) errors.push(`php:${p.name}`) } return { ok: errors.length === 0, errors } } ``` **审计与运行治理** - 审计来源域与哈希及 PHP 约束；不合规阻断并回退到可信来源。 - 变更需审批与记录，支持快速回溯。