fb-instant-articles icon indicating copy to clipboard operation
fb-instant-articles copied to clipboard

Published 20 hours ago verified publisher icon Automattic

Security vulnerabilities from dev composer dependencies are bundled into production code

Open ryanshoover opened this issue 6 years ago • 2 comments

Steps required to reproduce the problem

  1. Install fb-instant-articles from the WordPress.org repo
  2. The vendor directory contains the WPCS and PHP Codesniffer packages
  3. Those packages contain known security vulnerabilities

Expected Result

  1. Plugin distributed to the WordPress plugin repo doesn't contain development packages.
  2. The WPCS package is already marked as a require-dev dependency.
  3. The deploy script that packages the code to send to the WordPress Plugin repo needs to include the --no-dev flag in its composer install
  4. That script doesn't seem to be versioned in this repo.

Version Info

  • Plugin version: 4.2.0
  • WordPress version: Any
  • PHP version: Any

ryanshoover avatar May 08 '19 18:05 ryanshoover

It's not just the security aspect, but simply the number of redundant files that need to be reviewed before reaching production. The process that creates the .zip file available in Releases on Github also results in PHPCS and WPCS packages being included unnecessarily.

GaryJones avatar Dec 23 '20 10:12 GaryJones

I think updating the realease.sh file should do it

run composer install --no-dev

rodruiz avatar Feb 18 '21 21:02 rodruiz