- Issue created by @phenaproxima
- πΊπΈUnited States phenaproxima Massachusetts
Reviewable, but not ready quite yet since tests are needed.
- πΊπΈUnited States phenaproxima Massachusetts
I can't easily write a test for this, because although composer/composer is a dev dependency of core, vendor/bin/composer doesn't exist because it's cleaned up by the vendor hardening plugin, which has no way to prevent a package from being cleaned up. This also means that end users can't take advantage of this improvement if they have the vendor hardening plugin at all.
Not sure how to proceed. Should I change our build tests to confirm that this works? Should we file a blocking issue to allow the vendor hardening plugin to skip certain packages if configured to do so?
- πΊπΈUnited States phenaproxima Massachusetts
An update here -- if we can get β¨ Add a directory to the PATH Active in, this becomes much more viable, and would immediately improve things for Drupal CMS users -- if Composer installed and
vendor/composer/composer/bin/composerexists, Package Manager would point to that.The vendor hardening plugin would still be an obstacle for some sites -- although Drupal CMS does not currently use it -- but my idea there is to change it to not delete Composer's binaries outright, but rather just
chmodthem to 655 so that they cannot be executed directly. Then Composer simply becomes another PHP script run by the PHP interpreter, rather than something that can be invoked as its own process. All that would need to happen in a separate issue, though.Postponing on the related issue.
- πΊπΈUnited States phenaproxima Massachusetts
Figured out how to write a unit test (a rare case where reflection is the way to go). This is reviewable!
- πΊπΈUnited States tim.plunkett Philadelphia
Reviewed this with @phenaproxima and everything makes sense. Test coverage looks good.
- πΊπΈUnited States phenaproxima Massachusetts
Easy enough. Since this was such a simple change with no logic implications, tentatively restoring Tim's prior RTBC.
- π¬π§United Kingdom catch
Noticed one more thing - the static variable was unnecessary, @phenaproxima moved it to a normal property. We could maybe have done a separate method for testing instead but it's 50/50 so not worth further changes.
Committed/pushed to 11.x and cherry-picked to 11.2.x, thanks!
Automatically closed - issue fixed for 2 weeks with no activity.
- Status changed to Needs review
17 days ago 8:53pm 6 August 2025 - π¬π§United Kingdom catch
As with β¨ Dynamically figure out the actual path to Composer's binary, and make it read-only Active I think we need to think about this a bit more so I'm reverting this for now, we can commit again depending on the discussion.