Problem/Motivation
While working toward #2982680: Add composer-ready project templates to Drupal core., we discovered that the Vendor Hardening Plugin sometimes fails to work, throwing an error:
Fatal error: Uncaught Error: Class 'Drupal\Component\FileSecurity\FileSecurity' not found in phar:///Users/ganderson/bin/composer/src/Composer/Plugin/PluginManager.php(196) : eval()'d code:245
The problem is that Composer plugins do not include the autoload.php file; instead, they dynamically create their autoload information on the fly at runtime. This allows plugin hooks to work before the autoloader is dumped. The limitation here, though, is that the plugin manager does not allow plugins to hook the dynamic autoload generation, because this would be circular. The upshot is that a plugin can only autoload classes that are located in their default location inside vendor, because the Composer Installers plugin is not given a chance to fix up any paths. Because of this, the Vendor Hardening plugin cannot find the Core File Security component, because the later is relocated to the /core directory.
Proposed resolution
In #3077455: Move Drupal Components out of 'core' directory, we considered fixing this by relocating the Core File Security component back to the vendor directory; however, that solution seemed too invasive to do at this time, so we are exploring potential workarounds instead.
There are two options:
- Preferred: Manually find the /core directory and require_once the File Security class.
- Fallback: Put a complete copy of the File Security class in a new namespace inside the Vendor Hardening Plugin.
Remaining tasks
None.
Follow-on Tasks
- #3077455: Move Drupal Components out of 'core' directory
- #3076600: Create drupal/core-recommended metapackage
- #2982680: Add composer-ready project templates to Drupal core.
- #3079890: Re-add drupal/core-file-security in Vendor Hardening plugin composer.json
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
To work around a Composer class loader limitation, the Vendor Hardening plugin now uses require_once to directly load the file security class from drupal/core.