Make the hardening plugin more configurable

Created on 15 August 2020, almost 5 years ago

Updated 14 July 2025, 25 days ago

Problem/Motivation

The current version of the hardening plugin is too inflexible, performing some removals which may prove problematic for some sites, as mentioned in #3165183: Do not remove vendor/bin/composer → .

In its current version, the plugin only allows adding more cleaning targets, not removing any, which can cause some sites to remove it altogether because its safety value does not counterbalance the convenience loss for them (e.g. vendor/bin/composer removal).

Steps to reproduce

Create a Drupal project
composer require composer/composer
try to run vendor/bin/composer : not found

Proposed resolution

In the current version, adding extra cleaning tasks is specified by adding to the project composer.json, like:

    "extra": {
      "drupal-core-vendor-hardening": {
        "vendor/package": ["test", "documentation"]
      }
    }

This format could be modified, like:

    "extra": {
      "drupal-core-vendor-hardening": {
        "clean": {
          "vendor/package": ["test", "documentation"]
        },
        "skip": [
          "composer/composer": ["bin"]
        ]
      }
    }

Alternatively, it might make for a better DX if the plugin used a list in an external file, without inline defaults in Config.php, and accepted a single configuration item like:

    "extra": {
      "drupal-core-vendor-hardening": "some/path/clean-list.yml"
    }

It could even include both a built-in list of defaults (inline or preferably in a bundled data file), as it currently does, but ignore it if that clause is present and rely exclusively on it. It would be the simplest way for site developers to include exactly what they want, by just copying that default file provided by the module if it was a data file instead of inline code.

Remaining tasks

Discuss

User interface changes

None

API changes

None

Data model changes

possible extra change in composer.json

Release notes snippet

Not yet

✨ Feature request

Status

Active

Version

11.0 🔥

Component

base system

Created by

🇫🇷France fgm Paris, France

Live updates comments and jobs are added and updated live.

composer initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 25 days ago →
🇦🇺Australia pameeela
Comment 24 days ago →
🇺🇸United States phenaproxima Massachusetts
This is a duplicate of ✨ The vendor hardening plugin should support changing the permissions of certain paths Active , which implements a syntax to prevent certain packages from being cleaned.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024