This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Inspired by Roave Security Advisories., (*1)
~$ composer require drupal-composer/drupal-security-advisories:8.x-dev
~$ composer require drupal-composer/drupal-security-advisories:7.x-dev
This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues., (*3)
This package can only be required in its dev-* version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense., (*4)
This package is therefore only suited for installation in the root of your deployable project., (*5)
In the rare event that a security release does not affect your project, and upgrading to latest release is undesireable, you can suppress a build failure by specifying a particular SHA project in composer.json. For example, assume that drupal/dynamic_entity_reference 8.1.0-beta2 just came out as a Security release. In order to keep using 8.1.0-beta1, you can specify the following in composer.json:, (*6)
``` "require": { "drupal/dynamic_entity_reference": "dev-8.x-1.x#8713890" },, (*7)
```, (*8)
Note: that this approach opts your package out of any future security releases. You can check for future security releases with drush pm:security
(drush9) or drush pm-updatestatus
(drush8)., (*9)
This packages gets information form Drupal.org APIs., (*10)
Build command: ./build/build.sh
, (*11)