While working toward #2982680: Add composer-ready project templates to Drupal core → , we discovered that the Vendor Hardening Plugin sometimes fails to work, throwing an error:
Fatal error: Uncaught Error: Class 'Drupal\Component\FileSecurity\FileSecurity' not found in phar:///Users/ganderson/bin/composer/src/Composer/Plugin/PluginManager.php(196) : eval()'d code:245
The problem is that Composer plugins do not include the autoload.php file; instead, they dynamically create their autoload information on the fly at runtime. This allows plugin hooks to work before the autoloader is dumped. The limitation here, though, is that the plugin manager does not allow plugins to hook the dynamic autoload generation, because this would be circular. The upshot is that a plugin can only autoload classes that are located in their default location inside vendor, because the Composer Installers plugin is not given a chance to fix up any paths. Because of this, the Vendor Hardening plugin cannot find the Core File Security component, because the later is relocated to the /core directory.
Steps to reproduce:
composer dumpautoloadIn #3077455: Move Drupal Components out of 'core' directory → , we considered fixing this by relocating the Core File Security component back to the vendor directory; however, that solution seemed too invasive to do at this time, so we are exploring potential workarounds instead.
There are two options:
None.
None.
None.
None.
To work around a Composer class loader limitation, the Vendor Hardening plugin now has its own copy of the file security class from drupal/core.
Fixed
8.8 ⚰️
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.