Contrib.social

CSS from libraries could expose versions too

Open on Drupal.org β†’
Created on 16 July 2025, 3 months ago

Problem/Motivation

prevent_version_disclosure_js_alter alters js files. But css files could include the version of the library too.

Steps to reproduce

Proposed resolution

Implement prevent_version_disclosure_css_alter

Remaining tasks

MR

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @penyaskito
  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States swirt Florida

    penyaskito I am trying to find an example of this. Usually css in Drupal gets a hash that is re-generated with each cache clear as a cache buster. Clearing cache changes the query string and makes sure people get the newer version of the CSS if there is one.

    example

    <link rel="stylesheet" media="all" href="/core/themes/claro/css/classy/components/field.css?t0ivnj" />
<link rel="stylesheet" media="all" href="/core/themes/claro/css/classy/components/icons.css?t0ivnj" />
<link rel="stylesheet" media="all" href="/core/themes/claro/css/classy/components/inline-form.css?t0ivnj" />
<link rel="stylesheet" media="all" href="/core/themes/claro/css/classy/components/item-list.css?t0ivnj" />

    Do you have an example of a css library that shows its actual version when it appears?

  • Comment 2 months ago β†’
    πŸ‡ͺπŸ‡ΈSpain penyaskito Seville πŸ’ƒ, Spain πŸ‡ͺπŸ‡Έ, UTC+2 πŸ‡ͺπŸ‡Ί
  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States swirt Florida

    I am not sure fontawesome is anything I can do anything about because it reveals the version in a location that is not managed by Drupal if you load it externally.

    <script src="https://use.fontawesome.com/releases/v6.4.0/js/all.js" defer crossorigin="anonymous"></script>
<script src="https://use.fontawesome.com/releases/v6.4.0/js/v4-shims.js" defer crossorigin="anonymous"></script>

    If you load the file locally the module is meant to look for it in a certain path. If the path includes the version, rather than a query parameter, there is probably not anything this module can do about it. However according to the project's README the path nor file indicate the version

    /libraries/fontawesome directory.The JS file should
    be at /libraries/fontawesome/js/all.js

    Though I also tried installing it locally using the module's drush command but for some reason that failed too

    I have not managed to have it loaded locally so I can not verify that is does or does not contain the version.

    penyaskito if you can provide a screenshot or copy of what output you are seeing for the CSS that indicates the version, that would be very helpful.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024