Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I am trying to get a site up and running using the drupal-composer/drupal-project method of installation. When I try to do a:
composer require drupal/composer_security_manager
I get:
[InvalidArgumentException]
Could not find package drupal/composer_security_manager at any version for your minimum-stability (stable). Check the package spelling or your minimum-stability
I then proceeded to the manual method and did:
composer require sensiolabs/security-checker ~3.0.0
composer require roave/security-advisories dev-master
Nothing was said about downloading the module but I did so and enabled it. I then opened reports and selected the link "Composer Security Checker Report" and received the following:
The website encountered an unexpected error. Please try again later.
SensioLabs\Security\Exception\RuntimeException: Lock file does not exist
I looked in the code and it is looking for the lockfile to be in the web directory and not the project root directory.
If I change the $lock to be /home/myuser/staging.mywebsite.com/web instead of "/home/myuser/staging.mywebsite.com/web" the report functions as expected.
Suggestions?
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | composer_security_checker-2839404-7.patch | 6.82 KB | badjava |
Comments
Comment #2
chapabu CreditAttribution: chapabu as a volunteer commentedHmm..that makes sense. So, we either need an option to specify the lockfile path relative to the Drupal root (makes the most sense to me in terms of flexibility), or we need to traverse directories and look for it.
I guess it'd also be nice to not throw an exception, and rather catch the error in the logs and display a message.
I can take a look at this as soon as I can, but my time is a little stretched right now :(
Comment #3
Christopher Riley CreditAttribution: Christopher Riley commentedI understand and appreciate it. I think specifying the path is the quickest and most flexible way of doing it.
Comment #4
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commented+1 for this. The Drupal Composer Template has the project root one folder above the web root so this will be a pretty standard use case.
Here is a stab at a patch. The only thing it doesn't do is try and catch the error on the reports page when composer.lock isn't found.
Comment #5
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commentedComment #6
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commentedLet's try this again.
Comment #7
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commentedFixed a minor issue in the form field.
Comment #8
Christopher Riley CreditAttribution: Christopher Riley commentedThank you for the patch seems as if it applies cleanly via composer patch. One thing else that you may want to do is to fix the docs so that they do a:
composer require drupal/composer_security_checker
and not
composer require drupal/composer_security_manager
Thanks again for the patch just waiting for something that should be reported to actually get reported.
Comment #9
chapabu CreditAttribution: chapabu as a volunteer commentedWow, this looks great @badjava!
I'll try and get this merged in the next couple of days! Thanks for your help :)
Comment #11
chapabu CreditAttribution: chapabu as a volunteer commentedComment #13
shrop CreditAttribution: shrop at Mediacurrent commentedI am having this error while running 1.x-dev: My webroot ins in the web folder beneath my composer.json and composer.lock files.
Requirement in my composer.lock file.
Comment #14
shrop CreditAttribution: shrop at Mediacurrent commentedComment #15
chapabu CreditAttribution: chapabu as a volunteer commentedThat's weird, because this did fix it for me and I've not had any issues thus far. It might be a stupid question, but you changed the settings from the defaults?
If you did, perhaps you could give me a little more information so I can try to reproduce the issue?
I doubt it's of any use whatsoever, but I did just tag an 8.x-1.1 release containing this fix, so maybe when that's made it's way through the d.o chain you could try that, then if the problem persists we can either reopen this or create a new issue :)
Comment #16
Anonymous (not verified) CreditAttribution: Anonymous as a volunteer commentedI just got this:
SensioLabs\Security\Exception\RuntimeException: Lock file does not exist. in SensioLabs\Security\SecurityChecker->check() (line 47 of /Users/stephenpurkiss/Sites/d8/vendor/sensiolabs/security-checker/SensioLabs/Security/SecurityChecker.php).I saw a tweet go by with the module update & thought "ooo that looks interesting I shall try that" so ran my rebuild script which uses composer:
composer create-project drupal-composer/drupal-project:8.x-dev d8 --stability dev --no-interactionThen enabled the module, went to the report and got the "unexpected" error message.
Then I looked at the issue queue and saw it was @chapabu. And @shrop. So I thought I'd post here too.
Comment #17
Anonymous (not verified) CreditAttribution: Anonymous as a volunteer commented...I thought for a moment there it was my bad cos I didn't specify
devbut does the same when I do:composer require drupal/composer_security_checker:1.x-devComment #18
chapabu CreditAttribution: chapabu as a volunteer commentedYeah, dev and stable are in line at the mo!
I'll spin up en env later this week from drupal-composer and see if I can see what's up!.
Comment #19
shrop CreditAttribution: shrop at Mediacurrent commented@chapabu: Thanks for checking into it as you can. I am thinking of adding is to Guardr via https://www.drupal.org/node/2862133
@stevepurkiss: Thanks for the verifying!