There is an ongoing debate among developers regarding the use of patches versus pull requests for contributions. Since its migration to GitLab in 2018, Drupal has undergone significant changes. As of July 2024, the removal of Drupal CI and automated patch testing could potentially change the way contributions are made.
@kreynen Worth noting that even the 2.x beta documentation recommends avoiding patches autogenerated by PR/MR URLs.
> "The contents of these patches can change by pushing more commits to a pull request or merge request. A malicious user could abuse this behavior to cause you to deploy code that you didn’t mean to deploy."
The recommendation is to download a patch & apply it locally, but I'm guessing we'll see devs continue to add patches in queues & include those URLs
@kreynen I completely agree, and as the post states, using the GitLab provided patch in a composer.json without downloading it and referencing it from a local directory is also a security risk. Although, I'm curious how this recommendation will change once GitLab allows .patch to be appended to any compare URL.
Add comment