Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
In order to maintain appropriate security, safety and "principal of least surprise," the Scaffold Plugin will only allow a dependency to provide scaffold files if it is explicitly whitelisted in the top-level composer.json. The top-level composer.json file itself is also implicitly allowed.
At the same time, we would like to keep the Composer template projects (c.f. #2982680: Add composer-ready project templates to Drupal core) simple, so that there as few moving parts as possible to give users the best odds of being successful in moving to Composer. Also in the works is a new project drupal/legacy-scaffold-assets that will provide forward-compatibility for Drupal 8.8.x Composer components with Drupal 8.7.x sites.
Proposed resolution
Since the new core-composer-scaffold component is specifically designed for use with Drupal, it seems simpler and more logical to implicitly allow the standard projects that contain scaffold files without explicit mention in the project composer.json file.
Without this change, the project templates must contain an "allowed-packages" entry in the "extra/composer-scaffold" section:
"extra": {
"composer-scaffold": {
"allowed-packages": [
"drupal/core"
],
"locations": {
"web-root": "web/"
}
},
With it:
"extra": {
"composer-scaffold": {
"locations": {
"web-root": "web/"
}
},
If a project has a distribution / installation profile or a host-compatibility project that scaffolds files or alters scaffold files, it must still be whitelisted in "allowed-packages".
Remaining tasks
None.
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
The Drupal Composer Scaffold component now implicitly allows the projects drupal/core and drupal/legacy-scaffold-assets to scaffold files, even if they are not whitelisted in the top-level composer.json file.
| Comment | File | Size | Author |
|---|---|---|---|
| #4 | 3080205-2-to-4-interdiff.txt | 943 bytes | greg.1.anderson |
| #4 | 3080205-4.patch | 3.7 KB | greg.1.anderson |
| #2 | 3080205-2.patch | 2.78 KB | greg.1.anderson |
Comments
Comment #2
greg.1.anderson commentedPatch enabling the implicit approval.
Comment #3
greg.1.anderson commentedSet status to 'needs review'
Comment #4
greg.1.anderson commentedWe also want to suppress warnings about lack of scaffold files in old versions of drupal/core. This is expected if we implicitly allow core.
Comment #5
MixologicThis is a reasonable thing to do. Saves extra config in the rest of the ecosystem, which, we can assume that drupal/core is not a bad actor.
Comment #6
webchickSeems sane to me, as well. :) I had one question which was whether the conditional for pre-8.7 made sense to mark for explicit removal in D9, but Greg pointed out that no, because this tool will still be usable with older versions of Drupal, even in Drupal 9. Works for me!
Committed and pushed to 8.8.x. Thanks for the nice little DX improvement!
Comment #9
danepowell commentedI updated the Composer Scaffold docs to reflect this change. Up until now, they still indicated the drupal/core had to be explicitly allowed.
If anyone wants to check my changes, I'd appreciate it: https://www.drupal.org/node/3057099/revisions/view/11668194/11712166