Contrib.social

Warn site admins when composer dev dependencies are installed inside of docroot

Open on Drupal.org โ†’
Created on 27 November 2016, over 8 years ago
Updated 30 January 2023, over 2 years ago

Follow-up to #2745355: Use "composer install --no-dev" to create tagged core packages โ†’

Problem/Motivation

Drupal.org no longer packages composer dev dependencies (--no-dev) in the tarball release, because dev dependencies are not intended to be present on production sites. If a production site contains dev dependencies, that is probably unintentional and could be bad.

In fact, Drupal core 8.2.7 is a security release which was necessary because dev dependencies were present in the production site: https://www.drupal.org/project/drupal/releases/8.2.7 โ†’

We should warn site admins if dev dependencies are installed.

Proposed resolution

Some upstream help: https://github.com/composer/composer/issues/3008

Add composer.project_root and composer.dev_dependency_finder services.

composer.project_root will be the DRUPAL_ROOT of the installed Drupal's composer package. It will allow introversion of the root composer.json package file.

composer.dev_dependency_finder will reconcile the dev dependencies against installed packages to allow us to determine whether those dependencies are installed.

These services can be used by system_requirements() to display status information about dev dependencies to the admin user.

Remaining tasks

User interface changes

API changes

Data model changes

๐Ÿ“Œ Task
Status

Needs work

Version

10.1 โœจ

Component
Baseย  โ†’

Last updated about 23 hours ago

Created by

cilefen

Live updates comments and jobs are added and updated live.
  • Needs framework manager review

    It is used to alert the framework manager core committer(s) that an issue significantly impacts (or has the potential to impact) multiple subsystems or represents a significant change or addition in architecture or public APIs, and their signoff is needed (see the governance policy draft for more information). If an issue significantly impacts only one subsystem, use Needs subsystem maintainer review instead, and make sure the issue component is set to the correct subsystem.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 2 years ago โ†’
    needs-review-queue-bot

    The Needs Review Queue Bot โ†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide โ†’ to find step-by-step guides for working with issues.

  • First commit to issue fork.
  • Merge request !12729Add patch from comment 59 โ†’ (Open) created by prudloff
  • Pipeline finished with Failed
    12 days ago
    Total: 260s
    #548378
  • Pipeline finished with Canceled
    12 days ago
    Total: 73s
    #548388
  • Pipeline finished with Failed
    12 days ago
    Total: 147s
    #548390
  • Pipeline finished with Failed
    12 days ago
    Total: 449s
    #548398
  • Pipeline finished with Success
    12 days ago
    Total: 456s
    #548412
  • Comment 12 days ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

    I think this is still relevant.
    I opened a MR based on the latest patch.

  • Comment 12 days ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille
  • Comment 11 days ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium borisson_ Mechelen, ๐Ÿ‡ง๐Ÿ‡ช

    Composer 2 is now a required part of installing drupal. So I think we can use that information in installed.json instead of doing all the logic in this patch?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024