"Child-Theme" in this context means any theme that was created from a Starterkit Theme.
Problem/Motivation
A Starterkit Theme might contain a security issue, that has been fixed in the current version. If the Child-Theme was created prior to the fix, the Child-Theme might still contain the security issue. But because the Starterkit Theme may have already been updated or removed from the codebase entirely, Drupal will no longer inform about the issue in /admin/reports/status.
Steps to reproduce
I didn't find any Themes with security issues, so I can't reproduce it for now.
Proposed resolution
Drupal should warn about potential security risks in Sub-Themes. It can do this by looking up the generator
Value in the .info.yml file of the Child-Themes, and inheriting any Security advisories for the specified Starterkit-Theme. The generator
though currently does not contain the drupal.org project name, only the name of the theme extension. While these are in most case the same they are not guaranteed to be the same. They can completely different . In fact there is no guarantee that the machine name of the theme extension is not the same as a different project name on drupal.org. For this reason the generator
key will either to be updated to also contain the project name or the project name will need to be saved elsewhere so it can be used to fetch the Update XML from drupal.org.
This functionality will likely need to be added to the Update module as it has the functionality to fetch the Update XML which has the information about security releases. Currently the Update module does not fetch Update XML any projects that are not in the current codebase
Additionally, there should be a way for maintainers of the Child-Theme to mark a Security advisories as resolved, without having to update the generator
Value. (For Example, if the affected Twig-Template has been deleted from the Child-Theme). This could happen in the .info.yml file, by listing ignored Security Advisories under a ignored_security_advisories
-Key.
Remaining tasks
Update current documentation
The current documentation for Starter Kit does mention that fact that security advisories for the source theme may affect starter kit themes. It might be to update that.
The documentation does have a Tracking upstream changes section but it does not give any indication on how you might do this.
Actually implementing this feature is very large task so it probably makes sense to at least update the docs.
There are a couple options for keeping track of security updates:
- Leave the source theme in the codebase and enable the update module. You don't have to have the theme installed but you would have to set the Update module to check for updates in uninstalled extensions
- Leave the source theme in the codebase but do not enable the update module. This will still alert you to security advisories via
composer audit
as long as the theme was installed via Composer. It would even be possible to set installer-paths
in the composer.json have this theme be kept in location where Drupal itself would not find it to avoid it accidentally being enabled.
Unsupported status
Determine how to handle the supported status of the projects and branches
For instance:
- Monday: a theme may be generated using the 1.0.0 version of ThemeA
- ThemeA is removed from the codebase at this time
- Tuesday: The Theme project is marked as unsupported or the 1.0.x branch of the theme is marked as unsupported
In this case the theme will not receive and any security release but that does not mean there are not security issues.
Does this matter to the site that has theme generator from themeA 1.0.0? If we add functionality to show security releases for a theme that is not currently installed because it might affect a generated theme will the site owner understand project also might be marked as unsupported and therefore not get security releases?
Supported branches
If a theme was generator from 1.0.0 and 1.x is marked as unsupported it will not receive security releases. Should we keep showing security release information for 2.x, 3.x and beyond?
- Find a Theme with an outdated Security advisories and add "Steps to Reproduce"
- Refine remaining tasks
User interface changes
API changes
- The THEME.info.yml file conatins a new key
ignored_security_advisories: string[]|Null
containing a List of ignored Security Advisories.
Data model changes
Release notes snippet