Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
In #3057094: Add Composer vendor/ hardening plugin to core we added the drupal/core-vendor-hardening plugin to Drupal. This replaced the behavior of equivalent scripts which ran from the drupal/drupal composer.json file. We made the change so that the behavior would be portable across different Composer template installations.
Change record for that: https://www.drupal.org/node/3059717
The scripts are no longer called from drupal/drupal's composer.json file, but the code which the scripts called was not removed.
This code is not marked for deprecation, but there was already a pre-existing issue to delete the unused code: #3076684: Remove deprecated vendor cleanup scripts That issue is now postponed on this one.
Proposed resolution
Mark the vendor hardening code in Drupal\Core\Composer\Composer::vendorTestCodeCleanup() (and whatever else is vestigial) as deprecated.
Eventually remove the code in #3076684: Remove deprecated vendor cleanup scripts for the 10.0.0 release.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Issue fork drupal-3280589
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
SpokjeAdded Change Record
Comment #5
SpokjeRight...
I've created two MRs for this one:
1) MR !2425, which is basically exactly what the IS asks for: Deprecate
Drupal\Core\Composer\Composer::vendorTestCodeCleanup()and create a test for that deprecation.2) MR!2427, where I looked at #3076684: Remove deprecated vendor cleanup scripts and found a patch in there (
3076684-27.patch). There's a lot more deprecating going on in there, as well as marking some methods@internal. I've basically converted that patch into an MR with some extra polish. The only big change is that the patch also deprecatesDrupal\Core\Composer\Composer::upgradePHPUnit(). That's something we can't do in9.5.x-devsince that still supports PHP 7.3 and still uses that method. Also I think it was decided (somewhere) to keep this method for the PHPUnit 10.0 upgrade.I'll let Bigger Brains decide which way to go on this one.
Comment #6
SpokjeComment #7
longwaveI think we need something in between the two, so commented on 2427.
Comment #8
SpokjeOi, there was definitely no option #3...;)
Closed MR !2425 since we're not going to take that route.
Comment #10
SpokjeChanges made, asked two times for the same clarification.
Comment #11
longwaveResponded in the MR.
Comment #12
Mile23"Any "scripts" section mentioning this in composer.json can be safely removed."
The purpose of the script is to harden a vendor directory, so therefore not using it is potentially unsafe, so don't say 'safely.'
Here's an alternate text:
'Calling ' . __METHOD__ . ' from composer.json is deprecated in drupal:9.5.0 and is removed from drupal:10.0.0. Any "scripts" section mentioning this in composer.json can be removed and replaced with the drupal/core-vendor-hardening Composer plugin, as needed. See https://www.drupal.org/node/3260624'
Comment #13
SpokjeThanks to both @longwave and @Mile23, sense = made in both cases.
Made the requested changes.
Comment #14
SpokjeUpdated CR.
The one thing I'm unsure about are protected method/static that are only used by the methods we're deprecating in this issue (
\Drupal\Core\Composer\Composer::findPackageKeyand\Drupal\Core\Composer\Composer::$packageToCleanup). Is there the need to deprecate those, or can they just be removed in #3076684: Remove deprecated vendor cleanup scripts?Comment #15
longwaveThanks!
findPackageKey()is now @internal so that is fine to remove, I think$packageToCleanupwill be OK to remove as well - I don't think anyone will be using it outside of this code, and there's a replacement in the plugin anyway.To me this is RTBC, it will be good to get rid of these old scripts finally.
Comment #16
SpokjeThanks for the explanation @longwave!
Comment #18
catchAgreed with deprecating these in 9.5.x, not really an API as such and related to composer 2/2.2 updates.
Committed/pushed to 10.1.x, 10.0.x and 9.5.x, thanks!
Comment #23
quietone CreditAttribution: quietone at PreviousNext commentedChanged the CR to be, hopefully, easier to read and published.