Recommend to drupal 8 to move /vendor/ outside of the webroot

Created on 14 October 2015, about 9 years ago
Updated 27 January 2023, almost 2 years ago

Drupal 8 has vendor code which can contain security vulnerabilities if it is in a directory that is web accessible. It would be good to try to move it out of the webroot.

Similarly, in Drupal 7 any /vendor or /libraries files (e.g. from composer_manager or libraries.module) should ideally be placed outside the webroot.

Security review should warn if this is not the case.

✨ Feature request
Status

Fixed

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024