Contrib.social

Remove the ability to configure the path to Composer

Open on Drupal.org β†’
Created on 7 August 2025, 9 days ago

Problem/Motivation

The security team has determined that letting Package Manager's path to Composer be configurable is not a good idea. In the worst-case scenario, it is a potential RCE vector.

Proposed resolution

Completely remove the package_manager.settings:executables config structure, with an update path.
Refactor our ExecutableFinder to look for Composer in exactly one place: locally installed in the project. If it's not installed in the project, fall back to PATH detection.

The expectation here is that, if you want to use Package Manager, you need either:

Composer to be globally available in the PATH, in a supported version.
Composer to be installed as a runtime dependency of the project (composer require composer/composer), which you are expected to do at the command-line. Drupal CMS users won't have a problem with this, since Drupal CMS can add Composer to its runtime dependencies anyway. Plain core users are generally more technical and can be reasonably expected to run a simple command to get Composer into their runtime (or dev) dependencies.

For rsync, we should continue to allow that to be overridden, only by a setting. We have received far fewer complaints (if any) about rsync being undetectable in PATH, so although it is prudent for this to be changeable by the site owner/developer, we don't need to make it easy.

Data model changes

A pair of configuration options will be removed.

Release notes snippet

TBD but we'll certainly need one, because this is a breaking change in an experimental module. People who were relying on a configured path to Composer will have to add Composer to their project. (And anyone who had configured an alternate path to rsync will need to migrate that to a setting.)

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component

package_manager.module

Created by

πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @phenaproxima
  • Comment 9 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts
  • Merge request !12932Resolve #3540215 "Remove the ability" β†’ (Open) created by phenaproxima
  • Pipeline finished with Failed
    9 days ago
    Total: 577s
    #567231
  • Pipeline finished with Success
    9 days ago
    Total: 805s
    #567269
  • Comment 9 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts
  • Comment 9 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    Two questions about this.

    1. The MR currently completely removes the configuration for composer, as an experimental module that's fine as far as core's concerned.

    However package_manager is already used in production by Drupal CMS sites (or other sites using project browser/automatic updates) and those sites may be relying on having configured the composer path. Also depending on the host and who installed the site, running composer require composer/composer from the command line may not be an easy option.

    So I'm wondering if this needs a two step process.

    1. Keep the configured path as a final fallback if local and PATH composer can't be found. When this is the case, we could have a hook_requirements() warning telling people they need to fix the problem, but it wouldn't immediately break.

    2. Later on (maybe for 12.0.0) remove the configuration entirely as the MR currently does.

    2. It might be possible for automatic updates or project browser to add an update that detects whether composer is found locally or in PATH, and if it's not, runs composer require composer/composer via package manager to install a local composer. Once the local composer is installed, the site would then no longer be using the configuration any more and it would be safe to remove. If automatic updates/project browser introduces that update path before Drupal 12 support is added, it would then more or less guarantee that sites continue to work once the configuration is removed.

    The above isn't necessary for core, but I think it probably needs discussion with the Drupal CMS team whether that's something that's worth attempting.

  • Comment 9 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    I was thinking along similar lines. It probably makes sense to remove the executables structure from config schema, so that it can stay in existing sites but is no longer considered "valid" config.

    Meanwhile, the executable finder can use it as a final fallback, and trigger a deprecation warning. We can also do a separate requirements error (or warning, I guess) that having a configured path to Composer is deprecated and will not be supported in Drupal 12.

  • Pipeline finished with Failed
    9 days ago
    Total: 157s
    #567358
  • Pipeline finished with Failed
    9 days ago
    Total: 111s
    #567373
  • Pipeline finished with Canceled
    9 days ago
    Total: 398s
    #567384
  • Pipeline finished with Success
    9 days ago
    Total: 470s
    #567394
  • Pipeline finished with Success
    9 days ago
    Total: 695s
    #567402
  • Comment 8 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area
  • Comment 8 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom catch

    Crediting @benjifisher for slack discussion related to this.

  • Comment 8 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dww

    Reading summary and MR, I wonder if a setting fallback (instead of having to install it via composer or adjust the PATH) for finding composer would also make sense. Seems easier to migrate from the config to a setting than the other choices. I don’t see how it’s worse from a security standpoint. We already have to trust settings isn’t writable by malicious actors.

  • Comment 7 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    I agree with @dww and have added the settings-based fallback.

  • Pipeline finished with Canceled
    7 days ago
    Total: 376s
    #568792
  • Pipeline finished with Failed
    7 days ago
    Total: 308s
    #568794
  • Pipeline finished with Success
    7 days ago
    #568795
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024