Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
In #3032686: Remove references to unused packages in Drupal 9's vendor hardening we added a test to ensure that packages that had been removed from composer.lock were also removed from our vendor hardening code.
We can go a step further and ensure that all packages listed in composer.lock are also listed in the vendor hardening code, even if there is nothing to harden; this ensures we have at least considered hardening for any new dependency.
Proposed resolution
Make the test in ComposerIntegrationTest::testVendorCleanup() stricter.
Remaining tasks
Decide if this is a good idea.
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#20 | 3133903-20.patch | 11.08 KB | KapilV |
#6 | 3133903-6.patch | 11.7 KB | longwave |
Comments
Comment #2
longwaveSo I suspect this is more important than I first thought; since we first added directories to the vendor hardening, we have updated various dependencies and a number of the directories have moved. We have also added new dependencies and not hardened them. This means that, especially in packages installed from source, the vendor directories often contain a number of tests that could be safely removed. This is mitigated by the fact that many packages now use .gitattributes to remove their tests from their dist (zipfile) builds, which is what I think most people will end up installing. However, not all packages do this correctly.
I have updated the test to ensure that at least an empty array exists for each dependency, forcing us to evaluate them for hardening in the future.
The way I tested this was to run
I then looked through the vendor directories for tests and added them to the hardening config. I also removed a few that now seem obsolete.
Comment #3
jungleThe patch does not apply.
$defaultConfig
and$packageToCleanup
look the same, can we make one of them reusable?One concern is that if those files are removed, no way to get them back. For example, while developing, for some reasons, I want to check those tests or docs inside the vendor directory. So I am ponding if we could make it optional.
Comment #4
jungleThe patch does not applySorry, I was wrong, applying the patch to the wrong branch.Comment #6
longwaveRerolled to include symfony/polyfill-php80.
Comment #7
longwaveRe: #3 you can tell composer to ignore plugins and the hardening will not happen:
Comment #8
junglere #7, got it. thanks!
The above is another question in #3, any thoughts?
Comment #9
longwaveI think Drupal\Core\Composer\Composer is legacy (the old way of running Composer scripts from composer.json) and Drupal\Composer\Plugin\VendorHardening\Config is newer (the modern Composer plugin way) but I also think unifying these into a single script is out of scope for this issue; these arrays have previously been kept in sync manually, let's open a new issue to discover if we can merge them.
Comment #10
jungleThanks @longwave for your explaination in #9
Filed #3155625: Deprecate \Drupal\Core\Composer\Composer::vendorTestCodeCleanup() as the follow-up, re-scoping it if necessary. BTW. removing
\Drupal\Core\Composer\Composer::vendorTestCodeCleanup()
will remove$packageToCleanup
.The patch in #6 is good to me as the test revealed.
Comment #12
longwaveRandom fail.
Comment #13
alexpottCommitted f0f4922 and pushed to 9.1.x. Thanks!
This is definitely a good idea. Nice work @longwave
Comment #16
alexpottHmmm... so there's an issue with this patch. It's very fragile as it'll fail if you have drush installed locally for example. But my biggest concern is that this will make updating to PHPUnit 9 in a test run very hard too. I think we need to go back to the drawing board and come up with something less fragile. Imo we should only target prod dependencies.
Comment #19
andypostIt also needs to add SF/Mime and check other dependencies
Comment #20
KapilV CreditAttribution: KapilV as a volunteer and at Innoraft for Drupal Care, Drupal Association commentedHear a reroll patch.