- Status changed to Needs review
about 2 months ago 2:27am 28 May 2025 - π³πΏNew Zealand quietone
I didn't find an infrastructure issue for this.
But can we get some more voices here first, before an issue is made over there.
- πΊπΈUnited States smustgrave
If I'm understanding correctly if the idea is to not ship dev stuff, since it's not needed. Then not sure there would be objections
- πΊπΈUnited States xjm
Didn't we already remove them from the tarball following that RCE in PHPUnit in 2016? Either we already removed them, or there is a duplicate issue, or there is a regression with the new packaging. It was a recommendation from the security team at the time. (I can't find the SA; I remember we fixed it silently and only published after we had removed the file from the tarballs etc.)
- π¬π§United Kingdom catch
We have some vendor cleanup logic to remove test fixtures etc. but probably the only way to find this out is for someone to actually download a dev tarball of core to see.
- πΊπΈUnited States smustgrave
@catch what should I check is removed? All the fixtures in tests/fixtures appear to be there.
- πΊπΈUnited States xjm
This is what we said in 2016 β . So I guess the logic at the time was that stable releases would not include them, but dev tarballs would. Nowadays there logic that had us leave them in dev tarballs no longer applies, so yeah, if there are still dev dependencies at all -- like if PHPUnit is present in the dev tarball at all -- then this issue is still relevant, and correct.
- πΊπΈUnited States smustgrave
Vendor
Bin
I don't see phpunit in the download
- πΊπΈUnited States smustgrave
So based on that is this working as designed?
- πΊπΈUnited States smustgrave
Donβt think I have the authority to close but believe it can be.
- πΊπΈUnited States xjm
...And sending to infra to verify that this is, in fact, a reality already. :D
- π³πΏNew Zealand quietone
The dev dependencies are included in the two dev tarball
https://ftp.drupal.org/files/projects/drupal-11.x-dev.tar.gz
https://ftp.drupal.org/files/projects/drupal-10.6.x-dev.tar.gz$ curl -O https://ftp.drupal.org/files/projects/drupal-11.x-dev.tar.gz $ tar -xf drupal-11.x-dev.tar.gz $ ls drupal-11.x-dev/vendor asm89 colinodell egulias marc-mabe mikey179 pear phpstan ramsey sirbrillig tbachert autoload.php composer google masterminds myclabs phar-io php-tuf react slevomat theseer behat dealerdirect guzzlehttp mck89 nikic phpdocumentor phpunit revolt squizlabs twig bin doctrine justinrainbow mglaman nyholm php-http psr sebastian staabm webflo brick drupal lullabot micheh open-telemetry phpspec ralouphie seld symfony webmozart - πΊπΈUnited States smustgrave
Thanks @quietone. I apologize not sure what I did wrong and didnβt see those?
- π¬π§United Kingdom catch
If they're still packaged do we not need an issue to remove them? I assume against packaging.
- πΊπΈUnited States xjm
Yah I meant for this to be that issue. NR is probably the right status until infra confirms what's going on since we got two results above.
- πΊπΈUnited States xjm
@hestenet said he will draft an announcement text for this, and then we can decide how to schedule/announce it.