Remove the ability to configure the path to Composer

Created on 7 August 2025, about 2 months ago

Problem/Motivation

The security team has determined that letting Package Manager's path to Composer be configurable is not a good idea. In the worst-case scenario, it is a potential RCE vector.

Proposed resolution

Completely remove the package_manager.settings:executables config structure, with an update path.
Refactor our ExecutableFinder to look for Composer in exactly one place: locally installed in the project. If it's not installed in the project, fall back to PATH detection.

The expectation here is that, if you want to use Package Manager, you need either:

Composer to be globally available in the PATH, in a supported version.
Composer to be installed as a runtime dependency of the project (composer require composer/composer), which you are expected to do at the command-line. Drupal CMS users won't have a problem with this, since Drupal CMS can add Composer to its runtime dependencies anyway. Plain core users are generally more technical and can be reasonably expected to run a simple command to get Composer into their runtime (or dev) dependencies.

For rsync, we should continue to allow that to be overridden, only by a setting. We have received far fewer complaints (if any) about rsync being undetectable in PATH, so although it is prudent for this to be changeable by the site owner/developer, we don't need to make it easy.

Data model changes

A pair of configuration options will be removed.

Release notes snippet

TBD but we'll certainly need one, because this is a breaking change in an experimental module. People who were relying on a configured path to Composer will have to add Composer to their project. (And anyone who had configured an alternate path to rsync will need to migrate that to a setting.)

๐Ÿ“Œ Task
Status

Active

Version

11.0 ๐Ÿ”ฅ

Component

package_manager.module

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @phenaproxima
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts
  • Merge request !12932Resolve #3540215 "Remove the ability" โ†’ (Closed) created by phenaproxima
  • Pipeline finished with Failed
    about 2 months ago
    Total: 577s
    #567231
  • Pipeline finished with Success
    about 2 months ago
    Total: 805s
    #567269
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Two questions about this.

    1. The MR currently completely removes the configuration for composer, as an experimental module that's fine as far as core's concerned.

    However package_manager is already used in production by Drupal CMS sites (or other sites using project browser/automatic updates) and those sites may be relying on having configured the composer path. Also depending on the host and who installed the site, running composer require composer/composer from the command line may not be an easy option.

    So I'm wondering if this needs a two step process.

    1. Keep the configured path as a final fallback if local and PATH composer can't be found. When this is the case, we could have a hook_requirements() warning telling people they need to fix the problem, but it wouldn't immediately break.

    2. Later on (maybe for 12.0.0) remove the configuration entirely as the MR currently does.

    2. It might be possible for automatic updates or project browser to add an update that detects whether composer is found locally or in PATH, and if it's not, runs composer require composer/composer via package manager to install a local composer. Once the local composer is installed, the site would then no longer be using the configuration any more and it would be safe to remove. If automatic updates/project browser introduces that update path before Drupal 12 support is added, it would then more or less guarantee that sites continue to work once the configuration is removed.

    The above isn't necessary for core, but I think it probably needs discussion with the Drupal CMS team whether that's something that's worth attempting.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    I was thinking along similar lines. It probably makes sense to remove the executables structure from config schema, so that it can stay in existing sites but is no longer considered "valid" config.

    Meanwhile, the executable finder can use it as a final fallback, and trigger a deprecation warning. We can also do a separate requirements error (or warning, I guess) that having a configured path to Composer is deprecated and will not be supported in Drupal 12.

  • Pipeline finished with Failed
    about 2 months ago
    Total: 157s
    #567358
  • Pipeline finished with Failed
    about 2 months ago
    Total: 111s
    #567373
  • Pipeline finished with Canceled
    about 2 months ago
    Total: 398s
    #567384
  • Pipeline finished with Success
    about 2 months ago
    Total: 470s
    #567394
  • Pipeline finished with Success
    about 2 months ago
    Total: 695s
    #567402
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States benjifisher Boston area
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Crediting @benjifisher for slack discussion related to this.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Reading summary and MR, I wonder if a setting fallback (instead of having to install it via composer or adjust the PATH) for finding composer would also make sense. Seems easier to migrate from the config to a setting than the other choices. I donโ€™t see how itโ€™s worse from a security standpoint. We already have to trust settings isnโ€™t writable by malicious actors.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    I agree with @dww and have added the settings-based fallback.

  • Pipeline finished with Canceled
    about 2 months ago
    Total: 376s
    #568792
  • Pipeline finished with Failed
    about 2 months ago
    Total: 308s
    #568794
  • Pipeline finished with Success
    about 2 months ago
    #568795
  • The Needs Review Queue Bot โ†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide โ†’ to find step-by-step guides for working with issues.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts
  • Pipeline finished with Success
    about 1 month ago
    Total: 524s
    #584185
  • ๐Ÿ‡ฆ๐Ÿ‡บAustralia pameeela
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States mglaman WI, USA

    Read it over. Looks good to me! I like that we're getting the Composer binary path from within it's vendor directory versus vendor/bin/composer.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts
  • ๐Ÿ‡บ๐Ÿ‡ธUnited States dww

    Sorry, only on my phone. Hard to closely review. But found a few concerns to start.

  • ๐Ÿ‡ธ๐Ÿ‡ฐSlovakia poker10

    I have added one minor comment about the "read-only" vs "non-executable" wording.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    Fixed both suggestions, which are minor enough that I think we can go directly back to RTBC here.

  • Pipeline finished with Canceled
    24 days ago
    Total: 234s
    #591891
  • Pipeline finished with Success
    24 days ago
    Total: 641s
    #591894
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    This removes the rsync and composer config from the schema without removing the config keys themselves - this is to support the hook_requirements() pointing to settings.php.

    However it's not clear to me how someone is supposed to actually remove those config keys from a site?

    We might need to add an upgrade path and skip the hook_requirements() - there should be one for when composer/rsync can't be found anyway.

    Or if we otherwise want to keep that, how do people remove this from config?

    Package manager isn't beta yet so manual steps are OK but a lot of sites have it installed via Drupal CMS now and we shouldn't cause them to have data integrity issues without an obvious way out.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts

    The idea -- and I probably should have documented this in the issue summary, or open a postponed follow-up -- is that in Drupal 12, we'll have an update path to remove those keys.

    So we commit this now, and give people a nice, long runway to make the requisite changes. The change record documents how to do it. But if people don't remove the keys, they will still only get requirements warnings, not errors, and if they're okay with that, then the keys will automatically go away when they update to Drupal 12.

    Does that seem reasonable? Tentatively restoring RTBC here since I think that's what we'd kinda-sorta agreed on in Slack discussions, but by all means kick this back if I'm jumping the gun here. (Or, if you want me to open a follow-up for the upgrade path that removes the keys.)

  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    I think a follow-up is good, but yeah let's open it - 12.x will be open soon.

  • ๐Ÿ‡บ๐Ÿ‡ธUnited States phenaproxima Massachusetts
    • catch โ†’ committed 17459c60 on 11.2.x
      Issue #3540215 by phenaproxima, catch, benjifisher, dww, poker10: Remove...
    • catch โ†’ committed 7dd237cb on 11.x
      Issue #3540215 by phenaproxima, catch, benjifisher, dww, poker10: Remove...
  • ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Committed/pushed to 11.x and cherry-pick (with a small amount of manual merge conflict resolution) to 11.2.x, thanks!

  • Now that this issue is closed, please review the contribution record.

    As a contributor, attribute any organization helped you, or if you volunteered your own time.

    Maintainers, please credit people who helped resolve this issue.

  • ๐Ÿ‡ฎ๐Ÿ‡นItaly mondrake ๐Ÿ‡ฎ๐Ÿ‡น
Production build 0.71.5 2024