Dynamically figure out the actual path to Composer's binary, and make it read-only

Created on 23 July 2025, 11 days ago

Problem/Motivation

In Package Manager, we have an \Drupal\package_manager\ExecutableFinder class that knows how to look for a copy of Composer that is installed locally in the project.

The problem is that it hard-codes the assumption that the binary is found at <COMPOSER PATH>/bin/composer. If Composer changes that, it'll break badly.

Another problem is that the binary is directly executable by default, which is both bad from a security standpoint and unnecessary, since we always execute Composer by passing it to the PHP interpreter.

Proposed resolution

Rather than hard-code the path, read Composer's composer.json file, in particular its bin key, to find the composer binary. We should statically cache the result of this scan, since it'd be a tad expensive to compute.

Then, just to be safe, chmod that binary to remove execute permission.

✨ Feature request
Status

Active

Version

11.0 πŸ”₯

Component

package_manager.module

Created by

πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024