Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Composer is a part of Drupal 8.2 core and if you run it to update dependancies or update itself, it updates its files inside /vendor/composer/
or composer.json in root dir and then Hacked! screams that files were changed! And new user start panicking his website got hacked.
Read more about Drupal 8 and Composer
https://www.drupal.org/node/2404989
https://www.drupal.org/node/2718229
Comment | File | Size | Author |
---|---|---|---|
#5 | hacked2.PNG | 27.88 KB | marassa |
Untitled-1.jpg | 104.27 KB | vibrasphere |
Comments
Comment #2
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedMaybe we could ignore the whole vendor-directory? Maybe with an extra option?
In my composer-based installation hacked says that all the vendor files are *deleted*.
I think composer puts the vendor directory in a different place...
Comment #3
PieterDCI can confirm this behaviour.
Comment #4
gngn CreditAttribution: gngn at Computer Manufaktur GmbH commentedcomposer_deploy uses webflo/drupal-finder to check the vendor directory - maybe we could do something similiar?
Comment #5
marassa CreditAttribution: marassa commentedThis is still annoyingly true. My fresh composer-managed update to 9.4.0 shows:
The "deleted" files are apparently those in the vendor directory composer puts outside the web root.
The "changed" files are all yml files lacking the footer added by Drupal.org packaging script:
Comment #6
ivnish CreditAttribution: ivnish commentedComment #7
ivnish CreditAttribution: ivnish commented