- Issue created by @pameeela
- πΊπΈUnited States phenaproxima Massachusetts
Include Composer in the cpanel package?
From a technical perspective, this wouldn't be hard to do. But it would put the executable
composer
binary into a publicly-accessible directory (http://example.com/vendor/bin/composer
), which could be a, ahem, security concern (read: potentially monumental catastrophe).Definitely worth discussing the pros and cons here.
- πΊπΈUnited States phenaproxima Massachusetts
Here's a way we could include Composer in the cPanel package as a runtime dependency without risking exposing executables to the Big, Bad Internet:
- First, core would need to be changed so that Package Manager always runs Composer through the PHP interpreter, rather than as an executable of its own. There's already an issue for this (somewhere); and it works. The Drupal CMS launcher runs Composer this way. That's the blocker.
- Then we could include Composer as a runtime dependency, with
drupal/core-vendor-hardening
taking care of cleaning the executable out ofvendor/bin
. But Package Manager would not be trying to run it, so that'd pretty much take care of it. The only other thing to do would be for site builders to set Composer's path to the locally installed copy, which is already doable (although not in the UI, but there's an issue for that as well).
- πΊπΈUnited States phenaproxima Massachusetts
The change proposed in β¨ Add a directory to the PATH Active would allow us to implement #5. It's a worthwhile change in any case, though.
- π³π¬Nigeria chike Nigeria
I have seen this issue after I upgraded to Drupal 11 recently and tried to use automatic updates. I saw this issue and I tried in 3 other shared host companies my clients use outside Hosting.com which I think was where I first saw the issue. I tried on sites using Greengeeks, Namecheap and a local host company here called Go54; all of them have Composer version 2.6.5. I abandoned trying au until I have time to either see if they will upgrade the global Composer version or I download a local copy.