How to deal with drupal's additional security recommendation related to composer install --no-dev on production

Created on 16 April 2024, 8 months ago
Updated 29 April 2024, 8 months ago

Problem/Motivation

hi
please how to deal with Drupal's additional security recommendation related to composer install --no-dev on production that is mentioned here ?

When i try t do that on production i just noticed that the local installed drush/drush and drupal/core-dev are removed. Probably because they are required as dev.

Steps to reproduce

on production run composer install --no-dev

Thanks

💬 Support request
Status

Active

Version

9.1

Component

Composer or Makefile

Created by

🇧🇯Benin delacosta456

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @delacosta456
  • 🇯🇴Jordan Rajab Natshah Jordan

    Thanks, for asking

    Baisc rule, No run for composer on production. ( Better logic and better secured workflow )
    You man do that at your local, the deve, or the staging/testing host.
    But not directily on the production site.
    - The composer build may faile at anypoint, and you will end up with the production site as down
    - It may take 1 to 10 minues on the build, update, and changing.

    For sure:

    • Do not run composer install or composer update on production hosting ( do that at your local development only ) and deploy your code.
    • If you need drush at production, you can move it from require-dev to require ( do that at your local development ) and deploy to production.
    • No need for drupal/core-dev on production

    Have a look at the following logic ( Good to learn the workflow from that )
    Recommended to use Lando at your local and Platform.sh for development and staging
    Installing Varbase with Lando
    Deploy Varbase on Platform.sh
    Varbase in Platformsh - Select The Varbase Template as The Project Type

    Design your development workflow to manage environments

    • dev
    • test
    • staging
    • prod

    Each one has its logic

  • 🇧🇯Benin delacosta456

    hi
    thanks for replying
    i am alrady using the configuration you describe.

    - on local i did everything with Lando (composer install, export config etc)
    - and when everything is ok i pushed to Gitlab with a configured CI/CD that deploy per branch after some test tasks and merges requests on each of them (BchDev=>to Dev, Bchstg=>to Stg and BchMain=>to Prod)

    However i haven't see any clear simple and easy way to deploy to PROD than the composer method with gitlab by first taking the site to maintenance mode.

    Did have any suggestion ? is it what could be in Deploy Varbase on Platform.sh ? if yes please check the link because it's not clickable .

    i have already noticed

    The composer build may faile at anypoint, and you will end up with the production site as down

    which is why i requested for a support

    Thanks

  • 🇯🇴Jordan Rajab Natshah Jordan

    Deploy Varbase on Platform.sh

    At production you can use FTP or Git, or other methods.
    Using git pull for a tagged version on the produciton is the better logic
    remove any bash or composer update on production.
    Before creating the MYSITE-1.0.3 tag for exmaple do the build you need for the production site.

  • 🇯🇴Jordan Rajab Natshah Jordan

    I suggest that we propose to change the Drupal documentation in
    What's more? # Additional security

    from

    On the production site always use composer install --no-dev, so that unnecessary

    to

    Before deploying to the production site always use composer install --no-dev, so that unnecessary

  • 🇧🇯Benin delacosta456

    hi
    thanks for replying
    i agreed with your suggestion.
    By the way i that will be if people follow a workflow that exclude using composer on prod environment which (for most blog's i had read) is not usually the case as you can also see in that documentation.

    So in addition to your suggestion does it make sense to suggest :

    Before deploying to the production site always use <strong>in your test or preprod environment</strong> composer install --no-dev, so that unnecessary

    Thanks

Production build 0.71.5 2024