Problem/Motivation
PHPCS 2.8.1 was released with a security fix: https://github.com/squizlabs/PHP_CodeSniffer/releases/tag/2.8.1
This does not directly affect us because we don't use one of the vulnerable sniffs. The diff report might be used by the testbots, but there is not much damage an attacker could do in that sandbox. That is also the reason why this issue is public, because there is no direct vulnerability.
Security fixes are still critical.
Proposed resolution
Update PHPCS alone for the security fix, Coder can be updated later.
Comment | File | Size | Author |
---|---|---|---|
#9 | 2857245-9.patch | 1.33 KB | pwolanin |
Comments
Comment #2
klausiPatch.
There are some unrelated composer.lock changes in there, probably because I use a newer Composer version? They don't hurt though and since composer.lock is a machine generated file I think we should take it as is.
Comment #3
klausiTagging.
Comment #4
klausiPatch created with
Comment #5
pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commentedodd?
Can you document how you did the composer.lock update?
Comment #6
klausiclassifying as a bug so that we don't forgot to cherry-pick to all supported 8.x branches.
Comment #7
klausi@pwolanin, sure:
Patch created with
As I said: a newer composer version simplifies to auto-generated content of composer.lock.
Comment #8
pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commentedI don't get the fig change locally
I get:
Comment #9
pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commentedNote that klausi and I both updated to composer 1.3.2 , but here's what I get.
Comment #10
klausiIndeed, removed my vendor dir and performed a fresh composer install and then the update. That gets me the same result, sorry for the confusion with the first patch.
Looks good!
Comment #11
MixologicFYI: the installed.json from the test now shows up in the artifacts: https://dispatcher.drupalci.org/job/drupal_patches/4131/artifact/jenkins...
so this confirms that 2.8.1 is getting installed, and the patch in #2 is setting php-fig log to : fe0936ee26643249e916849d48e3a51d5f5e278b which also corresponds to 1.0.0
Comment #12
alexpottCommitted and pushed b0af9e9 to 8.4.x and 214457a to 8.3.x. Thanks!
PHPCS has not been a dependency in any actually released version of Drupal 8 - it is also only a dev dependency and therefore is covered by the earlier PSA about not deploying these.
Comment #15
klausiThanks, next Coder update: #2857714: Upgrade Coder to 8.2.11