Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Currently the VendorHarderingPlugin is only able to process packages installed in the vendor directory. That very strongly limits it's usage. It would be nice if it could harden Composer packages in any directories. For instance Drupal core ships with 4 MB demo_umami installation profile. Given it's a demo profile why should any Drupal site have it on production?
Proposed resolution
Process all packages regardless of their location.
$composer = $event->getComposer();
$installation_manager = $composer->getInstallationManager();
$package_path = $installation_manager->getInstallPath($package);
Comment | File | Size | Author |
---|---|---|---|
#38 | interdiff_18_38.txt | 417 bytes | Spokje |
#38 | 3108262-38.patch | 12.29 KB | Spokje |
Comments
Comment #2
Chi CreditAttribution: Chi commentedComment #3
Mile23The vendor hardening plugin does, indeed, assume that the package is in the vendor directory. https://git.drupalcode.org/project/drupal/blob/8.8.x/composer/Plugin/Ven...
If the package is symlinked then that works to remove the cleanup directories regardless where the real directory lives.
I'm not entirely sure we can get the new package location from composer/installers, but it should be possible.
Also, in the case of drupal/core, there's this issue: #2385395: Make Drupal core folder agnostic and allow it to be placed in vendor/drupal/core
Comment #4
Mile23OK, given that cleanup happens in post-comand and post-update/install events, composer/installers has always already modified the installation path. This means we can use the installation manager to get that path.
Here's a patch which does this.
Edit:
Need to fix this. The inline doc is wrong. It's an array of strings.
Comment #5
Mile23Also need to review this in light of #3103918: [policy + docs] Decide on backwards compatibility policy for Composer plugins in Drupal 8
Comment #6
Chi CreditAttribution: Chi commentedThis looks like a duplicate of #3104291: drupal-core-vendor-hardening should not assume vendor directory.
Comment #7
Mile23Marked that one duplicate.
Comment #8
Mile23Updated docblocks, fixed inline documentation.
Comment #9
Chi CreditAttribution: Chi commentedI think README.txt needs to be updated.
Comment #10
Mile23Updates the readme.
This issue is targeted for 8.9.x, but it would be great to have it in 8.8.3+. This is a new behavior, but it's not exactly a new feature. We can consult findings in #3103918: [policy + docs] Decide on backwards compatibility policy for Composer plugins in Drupal 8 to figure out when this gets unleashed.
Comment #11
Chi CreditAttribution: Chi commentedWorks as expected. I was able to remove directories from Drupal core and contributed modules.
Comment #12
Chi CreditAttribution: Chi commentedDoes this need a change record?
Comment #13
Mile23Added a CR: https://www.drupal.org/node/3112213
Adding needs docs update tag because we'll need to change that once we know which versions of core support this behavior. We'll probably also need to update the CR with this version information if we get a backport to 8.8.x.
Comment #14
andypostLooking at docs it looks totally fine https://www.drupal.org/docs/develop/using-composer/using-drupals-vendor-...
PS: guess only CR will need version update
Comment #15
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedGreat many thanks @Mile23.
For anyone that wishes to apply this patch using composer and cweagans/composer-patches note that you will need to edit the patch first. Search and replace
/composer/Plugin/VendorHardening
with blank and delete the test change at the end.I would support backporting to 8 as this removes a significant limitation in the existing code. I am using it to remove Core tests and the demo/testing profiles.
Comment #17
andypostre-roll for 9.1.x
Comment #18
andypostanother re-roll
Comment #19
piggito CreditAttribution: piggito as a volunteer and at Skilld commentedI couldn't apply last patch using cweagans/composer-patches cause it includes changes in core tests which are part of a different composer package.
Therefore, I'm attaching a new patch which just removes test changes so that we can apply it with cweagans/composer-patches by adding
Comment #20
andypostComment #21
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedThis came up in discussion again recently. I am a weak -1 on this enhancement. If we supported removal of dev files from non-vendor locations, then modules might also use this feature for security, which would mean that sites based on drupal/recommended-project would have to start using the vendor hardening tool as well.
A better solution would be for modules to mode their dev bits into a Composer dependency installed in the vendor directory.
I do realize that a lot of modules want to work in both Composer and non-Composer environments, so this might be an additional burden for the non-Composer case. However, requiring Composer for development only doesn't seem too bad to me.
Comment #22
jungleAt least, it‘s worthy allowing to remove demo_umami profile optionally.
Comment #23
junglehttps://github.com/skilld-labs/drupal-cleanup, @andypost shared the composer plugin in slack, which is able to remove "profiles/demo_umami"
Comment #24
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedTrue but it depends on how the plug-in is being used. Here are two ways of using it where that won't work.
Comment #25
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commented#24.1: That's reasonable. I still feel that module maintainers should try to move away from shipping dev components, and rely on require-dev instead.
#24.2: Long term, all of core should move to vendor. This will happen eventually, but I don't know how long it will take.
Comment #26
Mile23+1 thank you, sounds great. :-)
I'm currently using oomphinc/composer-installers-extender to build a libraries/ directory on a D7 site. I'd love to be able to remove test directories from those packages.
I'm not sure how that follows. You could optionally add vendor-hardening after you've created your project if you want to.
If we're going there, then the solution is for extensions to be able to live in vendor/.
Comment #27
greg.1.anderson CreditAttribution: greg.1.anderson at Pantheon commentedYeah I guess we need this, because it will take a while before core and extensions live in vendor, and we probably won't get half solutions very quickly either.
Comment #28
Mile23I guess that leads us back to #18 needing review. #19 is bespoke for people to patch their core.
Comment #29
andypostComment #30
fgmTangentially related is #3165183: Do not remove vendor/bin/composer. Discussion on #drupal with @andypost and @Mile23 suggest we might want to allow modifying the removal list, both to add and remove cleaning targets, not just add more.
Comment #31
Mile23This issue is about 'hardening' any installed package, regardless of whether it's under vendor/.
Changing the way the plugin is configured would be out of scope, so add a follow-up for that.
Comment #32
fgmGood point. Done: #3165346: Make the hardening plugin more configurable.
Comment #34
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedI confirm that I used this patch and it worked for me. I don't understand composer enough to comment on the details of the code in the patch - however the maintainer/commiter will have that knowledge. It seems fair to set RTBC on this basis, let's see if we can get this useful patch in.
Comment #35
catch#18 isn't passing - custom commands failed.
Comment #36
Pooja Ganjage CreditAttribution: Pooja Ganjage at Asentech LLC commentedHi,
Creating a patch as suggested in #35 comment.
Please review the patch.
Thanks.
Comment #37
Pooja Ganjage CreditAttribution: Pooja Ganjage at Asentech LLC commentedComment #38
SpokjeNot quite sure on what patch #36 was based on, #18 or #19.
@Pooja Ganjage: An interdiff would help with that.
Anyway, since #36 didn't pass and #35 mentions #18 here's a patch based on that one which should pass Custom Commands
Comment #39
SpokjeNote: I couldn't find the test-file
VendorHardeningPluginTest
actually being ran on TestBot: https://dispatcher.drupalci.org/job/drupal_patches/72210/consoleTextComment #40
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedThanks @Spokje Looks good to me
Comment #41
catchComment #42
fgmComment #44
catchThis changes a public method on the vendor hardening plugin, but it's explicitly marked @internal so that's OK.
I have some of the same concerns as @greg.1.anderson here, however the changes required to support this are very minimal, so I guess I'm +0.1 or something.
Committed 216dc5c and pushed to 9.2.x. Thanks!