Problem/Motivation
In Drupal\Core\Composer\Composer::vendorTestCodeCleanup() we attempt to remove test directories from the vendor directory as security mitigation.
The test directory for twig/twig is listed as test
, which is accurate up through 1.42.2: https://github.com/twigphp/Twig/tree/v1.42.2
But then in 1.42.3 it's changed to tests
: https://github.com/twigphp/Twig/tree/v1.42.3
This leaves behind the tests for twig/twig after an update.
This same issue is present in 8.8.x's vendor hardening plugin: https://git.drupalcode.org/project/drupal/blob/8.8.x/composer/Plugin/Ven...
Proposed resolution
Add tests
to the list of directories to remove, so that we attempt to remove both test
and tests
.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#10 | 3082145-10-8.7.x.patch | 517 bytes | voleger |
Comments
Comment #2
Mile23Comment #3
volegerHere the patches for both branches
Comment #4
Mile23Thanks, @voleger. :-)
Let's just do 8.8.x now and then get a backport, because they're different.
We need this same change in composer/Plugin/VendorHardening/Config.php.
Comment #5
volegerSure
Comment #6
Mile23LGTM. :-)
Comment #7
Mile23Updated title to be clearer.
Comment #8
larowlanCommitted 69fc0df and pushed to 8.8.x. Thanks!
Comment #10
volegerPatch for 8.7.x
Comment #11
Mile23LGTM.
Comment #12
larowlanCommitted 3f3c757 and pushed to 8.7.x. Thanks!
Comment #14
Mixologic