The Composer is a part of Drupal 8.2 core and if you run it to update dependancies or update itself, it updates its files inside /vendor/composer/ or composer.json in root dir and then Hacked! screams that files were changed! And new user start panicking his website got hacked.

a

Read more about Drupal 8 and Composer
https://www.drupal.org/node/2404989
https://www.drupal.org/node/2718229

CommentFileSizeAuthor
#5 hacked2.PNG27.88 KBmarassa
Untitled-1.jpg104.27 KBvibrasphere
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

vibrasphere created an issue. See original summary.

gngn’s picture

gngn CreditAttribution: gngn at Computer Manufaktur GmbH commented

Maybe we could ignore the whole vendor-directory? Maybe with an extra option?

In my composer-based installation hacked says that all the vendor files are *deleted*.
I think composer puts the vendor directory in a different place...

PieterDC’s picture

PieterDC
Primary language Dutch
Location Ghent
CreditAttribution: PieterDC at Dropsolid commented

I can confirm this behaviour.

gngn’s picture

gngn CreditAttribution: gngn at Computer Manufaktur GmbH commented

composer_deploy uses webflo/drupal-finder to check the vendor directory - maybe we could do something similiar?

marassa’s picture

marassa CreditAttribution: marassa commented
Status: Active » Needs work
FileSize
hacked2.PNG27.88 KB

This is still annoyingly true. My fresh composer-managed update to 9.4.0 shows:
Only local images are allowed.
The "deleted" files are apparently those in the vendor directory composer puts outside the web root.
The "changed" files are all yml files lacking the footer added by Drupal.org packaging script:
error

ivnish’s picture

ivnish CreditAttribution: ivnish commented
Category: Bug report » Feature request
Status: Needs work » Active
ivnish’s picture

ivnish CreditAttribution: ivnish commented
Category: Feature request » Bug report