Warn site admins when composer dev dependencies are installed inside of docroot

Created on 27 November 2016, almost 8 years ago
Updated 30 January 2023, almost 2 years ago

Follow-up to #2745355: Use "composer install --no-dev" to create tagged core packages

Problem/Motivation

Drupal.org no longer packages composer dev dependencies (--no-dev) in the tarball release, because dev dependencies are not intended to be present on production sites. If a production site contains dev dependencies, that is probably unintentional and could be bad.

In fact, Drupal core 8.2.7 is a security release which was necessary because dev dependencies were present in the production site: https://www.drupal.org/project/drupal/releases/8.2.7

We should warn site admins if dev dependencies are installed.

Proposed resolution

Some upstream help: https://github.com/composer/composer/issues/3008

Add composer.project_root and composer.dev_dependency_finder services.

composer.project_root will be the DRUPAL_ROOT of the installed Drupal's composer package. It will allow introversion of the root composer.json package file.

composer.dev_dependency_finder will reconcile the dev dependencies against installed packages to allow us to determine whether those dependencies are installed.

These services can be used by system_requirements() to display status information about dev dependencies to the admin user.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Needs work

Version

10.1

Component
Base 

Last updated about 1 hour ago

Created by

Live updates comments and jobs are added and updated live.
  • Needs framework manager review

    It is used to alert the framework manager core committer(s) that an issue significantly impacts (or has the potential to impact) multiple subsystems or represents a significant change or addition in architecture or public APIs, and their signoff is needed (see the governance policy draft for more information). If an issue significantly impacts only one subsystem, use Needs subsystem maintainer review instead, and make sure the issue component is set to the correct subsystem.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Production build 0.71.5 2024