@kreynen I completely agree, and as the post states, using the GitLab provided patch in a composer.json without downloading it and referencing it from a local directory is also a security risk. Although, I'm curious how this recommendation will change once GitLab allows .patch to be appended to any compare URL.