The makefile of the colorbox module currently downloads the master version of the colorbox library (https://github.com/jackmoore/colorbox/archive/1.x.zip). As it is not downloading specific versions of the library, and we have no control over the commits being done to that repository, a single malicious or erroneous commit would be all it takes to break the whole module or introduce a security issue.
This can also be a problem when troubleshooting issues in a specific release of the module, as different people may be using different versions of the library.
On the flipside, this may mean the Colorbox module has to release more often in order to include the right version of the library, but I am willing to help with this if needed!
Comment | File | Size | Author |
---|---|---|---|
#2 | colorbox-makefile-1.patch | 515 bytes | stefan.r |
Comments
Comment #1
stefan.r CreditAttribution: stefan.r commentedComment #2
stefan.r CreditAttribution: stefan.r commentedComment #3
stefan.r CreditAttribution: stefan.r commentedComment #4
tannerjfco CreditAttribution: tannerjfco commentedI suggest reviewing #2175565: (revert) Download Library with ckeditor.make for Simple Profile Integration for some relevant discussion on the issue of make files included with module projects. If you are using your own makefile at the site/profile level, you can override the module's makefile to download the desired version. I think it's debatable how helpful it really is to include the makefile with the module though. Ckeditor ended up removing the make file so that you were not defaulted to a particular version out of the box.
Comment #5
frjo CreditAttribution: frjo commented