Add drupal/core-vendor-hardening to https://github.com/drupal/recommended-project [#3101956]

Using https://github.com/drupal/recommended-project as recommended at https://www.drupal.org/docs/develop/using-composer/using-composer-to-ins... works fine for me with Drupal 8.8.0, however with 8.8.1 I am getting:

Uncaught Error: Class 'Drupal\Composer\Plugin\VendorHardening\FileSecurity' not found

This is fixed for me by adding:

"drupal/core-vendor-hardening": "^8.8",

to the "require" section of https://github.com/drupal/recommended-project

Comment	File	Size	Author
#5	composer.json_.txt	2.93 KB	Peter Buchanan
#5	Composer update log for 8.8.4.txt	7.98 KB	Peter Buchanan

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

18 December 2019 at 22:20

alberto56 created an issue. See original summary.

Comment #2

maxilein CreditAttribution: maxilein commented 19 December 2019 at 07:38

doing this before upgrading to D 8.8.1 gives me:

PHP Fatal error:  Uncaught Error: Class 'Drupal\Composer\Plugin\Scaffold\ScaffoldOptions' not found in /web/vendor/drupal/core-composer-scaffold/ManageOptions.php:55
Stack trace:
#0 /web/vendor/drupal/core-composer-scaffold/ManageOptions.php(42): Drupal\Composer\Plugin\Scaffold\ManageOptions->packageOptions(Object(Composer\Package\RootPackage))
#1 /web/vendor/drupal/core-composer-scaffold/AllowedPackages.php(120): Drupal\Composer\Plugin\Scaffold\ManageOptions->getOptions()
#2 /web/vendor/drupal/core-composer-scaffold/AllowedPackages.php(78): Drupal\Composer\Plugin\Scaffold\AllowedPackages->getTopLevelAllowedPackages()
#3 /web/vendor/drupal/core-composer-scaffold/Handler.php(143): Drupal\Composer\Plugin\Scaffold\AllowedPackages->getAllowedPackages()
#4 /web/vendor/drupal/core-composer-scaffold/Plugin.php(68): Drupal\Composer\Plugin\Scaffold\Handler->scaffold()
#5 [internal function]: Drupal\Composer\Plugin\Scaffold\Plugin->postCmd(Object(Composer\Script\Event))
#6 phar:///us in /web/vendor/drupal/core-composer-scaffold/ManageOptions.php on line 55

Fatal error: Uncaught Error: Class 'Drupal\Composer\Plugin\Scaffold\ScaffoldOptions' not found in /web/vendor/drupal/core-composer-scaffold/ManageOptions.php:55
Stack trace:
#0 /web/vendor/drupal/core-composer-scaffold/ManageOptions.php(42): Drupal\Composer\Plugin\Scaffold\ManageOptions->packageOptions(Object(Composer\Package\RootPackage))
#1 /web/vendor/drupal/core-composer-scaffold/AllowedPackages.php(120): Drupal\Composer\Plugin\Scaffold\ManageOptions->getOptions()
#2 /web/vendor/drupal/core-composer-scaffold/AllowedPackages.php(78): Drupal\Composer\Plugin\Scaffold\AllowedPackages->getTopLevelAllowedPackages()
#3 /web/vendor/drupal/core-composer-scaffold/Handler.php(143): Drupal\Composer\Plugin\Scaffold\AllowedPackages->getAllowedPackages()
#4 /web/vendor/drupal/core-composer-scaffold/Plugin.php(68): Drupal\Composer\Plugin\Scaffold\Handler->scaffold()
#5 [internal function]: Drupal\Composer\Plugin\Scaffold\Plugin->postCmd(Object(Composer\Script\Event))
#6 phar:///us in /web/vendor/drupal/core-composer-scaffold/ManageOptions.php on line 55
HX@WEBM:/web$ "drupal/core-vendor-hardening": "^8.8",
-bash: drupal/core-vendor-hardening:: No such file or directory

Comment #3

Peter Buchanan CreditAttribution: Peter Buchanan commented 25 March 2020 at 11:40

I'm now getting the same error:
Fatal error: Uncaught Error: Class 'Drupal\Composer\Plugin\Scaffold\ScaffoldOptions' not found in /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/ManageOptions.php:57
Stack trace:
#0 /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/ManageOptions.php(44): Drupal\Composer\Plugin\Scaffold\ManageOptions->packageOptions(Object(Composer\Package\RootPackage))
#1 /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/AllowedPackages.php(122): Drupal\Composer\Plugin\Scaffold\ManageOptions->getOptions()
#2 /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/AllowedPackages.php(80): Drupal\Composer\Plugin\Scaffold\AllowedPackages->getTopLevelAllowedPackages()
#3 /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/Handler.php(145): Drupal\Composer\Plugin\Scaffold\AllowedPack in /Users/ThinkGov/Documents/Websites/MAMPpro_test_sites/teijaeilola2/vendor/drupal/core-composer-scaffold/ManageOptions.php on line 57

Any thoughts, I'm unable to implement the security update to Drupal 8.8.4 where I'm using composer

Comment #4

cilefen CreditAttribution: cilefen as a volunteer commented 25 March 2020 at 13:36

Whenever there are Composer bugs or questions, it is helpful to post composer.json files and to tell us the Composer commands that have been executed.

Comment #5

Peter Buchanan CreditAttribution: Peter Buchanan commented 26 March 2020 at 10:22

File	Size
Composer update log for 8.8.4.txt	7.98 KB
composer.json_.txt	2.93 KB

Thanks cilefen, terminal log and composer.json files attached. json files not accepted for upload so converted to txt

Comment #6

ashwinr13 CreditAttribution: ashwinr13 commented 26 May 2020 at 22:24

Has there been any movement on this issue? Im currently into the same issues as @peter.

Comment #7

26 May 2020 at 22:24

Version:

8.8.x-dev

» 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #8

fgm

French

Paris, France

CreditAttribution: fgm as a volunteer and at OSInet commented 25 January 2021 at 09:41

I noticed this issue today on a machine which used an old composer 1.7. Composer 2.0.8 broke due to plugin issues, but upgrading to 1.10.19 fixed the issue for me.

Comment #9

mmjvb CreditAttribution: mmjvb as a volunteer commented 25 January 2021 at 11:10

The json provided is drupal/drupal, not drupal/recommended-project. It is using the merge plugin to introduce drupal/core. The project needs to be composerized to fix the issue.

Comment #10

25 January 2021 at 11:10

Version:

8.9.x-dev

» 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #11

25 January 2021 at 11:10

Version:

9.2.x-dev

» 9.3.x-dev

Comment #12

25 January 2021 at 11:10

Version:

9.3.x-dev

» 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #13

quietone CreditAttribution: quietone at PreviousNext commented 9 June 2022 at 23:56

Status:	Active	» Closed (outdated)
Issue tags:		+Bug Smash Initiative

The vendor hardening was fixed in Drupal 8.8.1 in #3079481: Fix problems Vendor Hardening Plugin has with using the File Security component.

I am closing this as outdated (Drupal 8 is EOL). If anyone is still have this problem, add a comment explaining what actions you took and change the status to 'Active'.

Thanks.