Skip to content

drupal-composer/drupal-security-advisories

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Drupal Security Advisories for Composer

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Inspired by Roave Security Advisories.

Circle CI

Installation

Drupal 8+ (composer.json)

~$ composer require drupal-composer/drupal-security-advisories:dev-8.x-v2

Drupal 7 (composer.json)

~$ composer require drupal-composer/drupal-security-advisories:dev-7.x-v2

Usage

This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues.

Stability

This package can only be required in its dev-* version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense.

This package is therefore only suited for installation in the root of your deployable project.

Handling Failures

In the rare event that a security release does not affect your project, and upgrading to latest release is undesireable, you can suppress a build failure by specifying a particular SHA project in composer.json. For example, assume that drupal/dynamic_entity_reference 8.1.0-beta2 just came out as a Security release. In order to keep using 8.1.0-beta1, you can specify the following in composer.json:

"require": { "drupal/dynamic_entity_reference": "dev-8.x-1.x#8713890" }, 

Note: that this approach opts your package out of any future security releases. You can check for future security releases with drush pm:security (drush9) or drush pm-updatestatus (drush8).

Sources

This packages gets information form Drupal.org APIs.

Build command: ./build/build.sh

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •