Skip to content

How to handle security advisories#3278

Open
adriendupuis wants to merge 15 commits into
4.6from
security-advisories
Open

How to handle security advisories#3278
adriendupuis wants to merge 15 commits into
4.6from
security-advisories

Conversation

@adriendupuis

@adriendupuis adriendupuis commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
Question Answer
JIRA Ticket
Versions 4.6 (TODO: something to reuse on 5.0??)
Edition

#3235 and #3246 show that maintaining an exhaustive list of Security Advisories (SA) for both update and install is fastidious.

This PR proposes to explain how to handle SA in general.

Also document how to suppress deprecation messages breaking ibexa:install on PHP 8.4

Move CI code_samples.yaml from deprecated config.audit.ignore to config.policy.advisories.ignore-id, update its SA list, and sort alphabetically.

Checklist

  • Text renders correctly
  • Text has been checked with vale
  • Description metadata is up to date
  • Redirects cover removed/moved pages
  • Code samples are working
  • PHP code samples have been fixed with PHP CS fixer
  • Added link to this PR in relevant JIRA ticket or code PR

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

@mnocon mnocon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initial pass, like the direction a lot - seems much more maintanable than maintaing the list of advisories 💪

Comment thread docs/infrastructure_and_maintenance/security/security_advisories.md Outdated
Comment thread docs/infrastructure_and_maintenance/security/security_checklist.md Outdated
Comment thread docs/getting_started/install_ibexa_dxp.md Outdated
This was referenced Jul 7, 2026
@adriendupuis adriendupuis marked this pull request as ready for review July 7, 2026 12:48
@adriendupuis adriendupuis requested review from glye and mnocon July 7, 2026 12:48
@adriendupuis adriendupuis force-pushed the security-advisories branch from f758443 to 1a23ac6 Compare July 7, 2026 13:29

@glye glye left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement.


- Run servers on a recent operating system and install security patches for dependencies.
- Configure servers to alert you about security updates from vendors. Pay special attention to dependencies used by your project directly, or by PHP. The provider of the operating system usually has a service for this.
- Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also add a point about considering whether you should update to very freshly released packages. There is a potential security benefit to avoiding the newest packages, because of supply-chain attacks. Composer doesn't have a setting for this yet, but minimum-release-age is coming:
composer/composer#12633

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glye Some like this?:

Suggested change
- Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions.
- Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions. Delay the installation of recently released version that aren't fixes. Only install fixing versions and one-month-old versions.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels too definite and specific to me. "that aren't fixes" isn't very helpful since attacks will likely camouflage as fixes. I would only advise people to consider the risk of supply chain attacks, and whether they ought to have a policy for avoiding recent releases newer than X time.

Comment thread docs/infrastructure_and_maintenance/security/security_advisories.md Outdated
Co-authored-by: Gunnstein Lye <289744+glye@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants