bpekker.dev

kreynen, to drupal in To Patch or Not To Patch | bPekker.dev
@kreynen@fosstodon.org avatar

@kreynen Worth noting that even the 2.x beta documentation recommends avoiding patches autogenerated by PR/MR URLs.

> "The contents of these patches can change by pushing more commits to a pull request or merge request. A malicious user could abuse this behavior to cause you to deploy code that you didn’t mean to deploy."

The recommendation is to download a patch & apply it locally, but I'm guessing we'll see devs continue to add patches in queues & include those URLs

https://docs.cweagans.net/composer-patches/usage/defining-patches/

balintpekker,

@kreynen I completely agree, and as the post states, using the GitLab provided patch in a composer.json without downloading it and referencing it from a local directory is also a security risk. Although, I'm curious how this recommendation will change once GitLab allows .patch to be appended to any compare URL.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • rosin
  • thenastyranch
  • cubers
  • ethstaker
  • InstantRegret
  • DreamBathrooms
  • ngwrru68w68
  • magazineikmin
  • everett
  • Youngstown
  • mdbf
  • slotface
  • kavyap
  • anitta
  • GTA5RPClips
  • khanakhh
  • normalnudes
  • osvaldo12
  • cisconetworking
  • provamag3
  • Durango
  • tacticalgear
  • modclub
  • Leos
  • megavids
  • tester
  • lostlight
  • All magazines
    •