In order to get Open Social covered by Drupal’s security advisory policy we have worked hard to solve coding standards issues in our distribution. One of the biggest issues was the correct way of including our front-end javascript libraries. Drupal dictates we shouldn’t include any third party libraries in our codebase.

 

In general 3rd party libraries and content are forbidden, so do not commit any. Instead, document for your users how to find and install the library/content themselves.”

3rd party libraries and content on Drupal.org

 

Unfortunately we had quite a few third-party scripts as part of our theme’s components. This means we have to remove all these third-party scripts from our codebase and include them in another way. There are various options to do so, but we want to minimize the number of tools and steps for developers to get the distribution up and running. Reading the blogpost Round up your front-end JavaScript libraries with Composer by Acquia’s Lightning distribution, Composer felt like the best approach to solve our problem.

 

As you can read in the blogpost, the concept is to use the power of Composer to install packages by making use of the Asset Packagist repository. This allows for the installation of Bower and NPM packages as native Composer packages. All our 3rd party libraries can be installed via this repository, since they are all listed in this repository.

 

How does this work?

For a library to be included and installed we list the repository in our composer file and specify the release version (range) we want to use.

 

… “Require”: { "bower-asset/waves": "0.7.5" }

Also we need to add Asset Packagist to our repositories to utilise it

"repositories": [
    {
        "type": "composer",
        "url": "https://asset-packagist.org"
    }

]

When we run composer update now it will download and install this library for us.

Manual steps to take update to release 1.5

The inclusion of the third party libraries has been added to the installation profile. However to make use of this new feature you need to add the Asset Packagist repository as well as the location where to install the libraries to your project’s composer.json file.

 

The following lines need to be added (You can see the full commit here).

 

Manual steps to take update to release 1.6

 

  1. The first addition is the asset packagist repository, where the assets will be downloaded from.

  2. The second addition are the supported installer types. We support both Bower and NPM packages. At the moment we do not use NPM, but the option to use it is there.

  3. The third addition instructs composer where to place these new libraries. As you can they will be placed in the html/libraries folder.

 

It is critical that you add these lines to your composer file that requires the Open Social install profile and then run composer update.

 

The last step that we took is to relocate the scripts to a different folder. It used to be in the socialbase theme, but as these are third party libraries it makes much more sense to put them in a libraries folder at the root of the website. In the theme we point to the (javascript) file that is in this libraries folder.

 

Relocate the scripts to a different folder.

 

We hope that with these step you can update to the latest release without any issues. In the future we try to prevent you from having to make these kind of changes. Unfortunately there is no other way at the moment to comply with the Drupal Security advisory, but to take this road. If you have any questions please create an issue on drupal.org of type support request. We will be happy to assist you.

775+ Communities are using Open Social

Don't miss our posts

Oct 17, 2017 - Events - Community Building

How to use on- and offline meetups to boost your community

Regular meetups can really help breed a sense of community among your users.

posted by Evelien
Oct 10, 2017 - Community Building - SaaS

Grow your community with email marketing

There are different ways to use email marketing. Keep in mind that the goal is to drive users to visit and engage with your community.

posted by Evelien
Oct 09, 2017 - Development

Changing the third party library inclusion

To get Open Social covered by Drupal’s security advisory policy we solved all coding standard issues. Learn how to update!

posted by Maikel