Drupal Security Advisories for Composer

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Inspired by Roave Security Advisories.

Circle CI

Installation

Drupal 9+ (composer.json)

~$ composer require drupal-composer/drupal-security-advisories:9.x-dev

Drupal 7 (composer.json)

~$ composer require drupal-composer/drupal-security-advisories:7.x-dev

Usage

This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues.

Stability

This package can only be required in its dev-* version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense.

This package is therefore only suited for installation in the root of your deployable project.

Handling Failures

In the rare event that a security release does not affect your project, and upgrading to latest release is undesirable, you can suppress a build failure by specifying a particular SHA project in composer.json. For example, assume that drupal/dynamic_entity_reference 8.1.0-beta2 just came out as a Security release. In order to keep using 8.1.0-beta1, you can specify the following in composer.json:

"require": {
  "drupal/dynamic_entity_reference": "dev-8.x-1.x#8713890"
},

Note: that this approach opts your package out of any future security releases. You can check for future security releases with drush pm:security (drush9) or drush pm-updatestatus (drush8).

Sources

This packages gets information form Drupal.org APIs.

Building

  • Drupal 9+: php console.php build:composer current
  • Drupal 7: php console.php build:composer 7.x