security-updates

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Updates for Drupal with Composer

使用Composer进行Drupal安全更新

Use when:

Running a security audit on a Drupal project
Fixing packages flagged by
```
composer audit
```
Applying a specific security advisory
Verifying no known vulnerabilities remain

适用场景：

对Drupal项目进行安全审计
修复
```
composer audit
```
标记的包
应用特定的安全公告
验证是否存在已知漏洞

Before You Start — Create a Branch

开始之前 — 创建分支

This step is mandatory. Do not run any composer commands until a new branch is created and confirmed. Never update packages directly on
main
or
master
.

Check the current branch first:

bash

git branch --show-current

If the user is on

main

master

, or any protected branch, stop and ask: "What would you like to name the new branch for these security fixes?"

Suggest a default if they are unsure (e.g.,

security/drupal-updates-YYYY-MM-DD

bash

git checkout -b <branch-name>

Confirm the new branch is active before proceeding:

bash

git branch --show-current

Only continue to the next step once the output confirms a non-protected branch.

此步骤为必填项。在创建并确认新分支之前，请勿运行任何composer命令。 切勿直接在
main
或
master
分支上更新包。

首先检查当前分支：

bash

git branch --show-current

如果用户处于

main

、

master

或任何受保护分支，请停止操作并询问：“您希望为这些安全修复创建的新分支命名是什么？”

如果用户不确定，建议一个默认名称（例如：

security/drupal-updates-YYYY-MM-DD

）。

bash

git checkout -b <branch-name>

继续下一步之前，确认新分支已激活：

bash

git branch --show-current

只有当输出确认当前为非受保护分支时，才能继续下一步。

Audit for Vulnerabilities

审计漏洞

bash

composer audit

Output lists packages with known advisories, CVE IDs, and links to the advisory.

bash

composer audit

输出结果会列出存在已知安全公告的包、CVE编号以及公告链接。

JSON output (for scripting)

JSON格式输出（用于脚本）

bash

composer audit --format=json

bash

composer audit --format=json

Audit without dev dependencies

排除开发依赖项的审计

bash

composer audit --no-dev

bash

composer audit --no-dev

Fix a Specific Vulnerable Package

修复特定存在漏洞的包

bash

composer update drupal/package --with-all-dependencies

Use

--with-all-dependencies

to allow transitive dependency version changes required by the update.

bash

composer update drupal/package --with-all-dependencies

使用

--with-all-dependencies

允许更新所需的传递依赖版本变更。

Example — fix a known advisory in

drupal/core

示例 — 修复

drupal/core

中的已知安全公告

bash

composer update drupal/core-recommended drupal/core-composer-scaffold --with-all-dependencies

bash

composer update drupal/core-recommended drupal/core-composer-scaffold --with-all-dependencies

Fix All Packages with Advisories

修复所有存在安全公告的包

Update only packages flagged by the audit, staying within the version constraints in

composer.json

bash

composer update --with-all-dependencies $(composer audit --format=json 2>/dev/null \
  | python3 -c "import sys,json; data=json.load(sys.stdin); print(' '.join(set(a['packageName'] for a in data.get('advisories', {}).values() if isinstance(a, dict)) or [v[0]['packageName'] for v in data.get('advisories', {}).values()]))" 2>/dev/null)

Or update them manually after reviewing the audit output:

bash

undefined

仅更新审计标记的包，同时保持

composer.json

中的版本约束：

bash

composer update --with-all-dependencies $(composer audit --format=json 2>/dev/null \
  | python3 -c "import sys,json; data=json.load(sys.stdin); print(' '.join(set(a['packageName'] for a in data.get('advisories', {}).values() if isinstance(a, dict)) or [v[0]['packageName'] for v in data.get('advisories', {}).values()]))" 2>/dev/null)

或者在查看审计输出后手动更新：

bash

undefined

List vulnerable packages from audit output, then update each

从审计输出中列出存在漏洞的包，然后逐个更新

composer update drupal/package1 drupal/package2 --with-all-dependencies

---

composer update drupal/package1 drupal/package2 --with-all-dependencies

---

Verify No Vulnerabilities Remain

验证是否仍存在漏洞

bash

composer audit

Expected output after all fixes:

No security vulnerability advisories found.

After the audit is clean, always ask the user these questions in order:

1. "Do you want to commit these changes?"
If yes:
bash
git add composer.json composer.lock
git commit -m "Apply Drupal security updates"
If no → remind the user that
composer.json
and
composer.lock
are uncommitted before proceeding.
2. "Do you want to deploy these changes to an Acquia environment?"

If yes → follow the Drupal Update and Deploy playbook to push code, switch the environment, and optionally trigger a pipeline build.

If no → done.

bash

composer audit

修复完成后的预期输出：

No security vulnerability advisories found.

审计通过后，请务必按顺序询问用户以下问题：

1. “您是否要提交这些更改？”
如果是：
bash
git add composer.json composer.lock
git commit -m "Apply Drupal security updates"
如果否 → 在继续操作前提醒用户
composer.json
和
composer.lock
尚未提交。
2. “您是否要将这些更改部署到Acquia环境？”

如果是 → 遵循**Drupal更新与部署手册**推送代码、切换环境，并可选择触发流水线构建。

如果否 → 操作完成。

Troubleshooting

故障排除

"Your requirements could not be resolved"

“无法解析您的依赖要求”

The version required to fix the advisory conflicts with another constraint. Options:

bash

undefined

修复安全公告所需的版本与其他约束存在冲突。可选方案：

bash

undefined

Check what requires the package

检查哪些依赖需要该包

composer why drupal/package

Check what prevents the update

检查哪些因素阻止更新

composer why-not drupal/package 2.x

Relax the constraint in composer.json if safe, then retry

如果安全的话，放宽composer.json中的约束，然后重试

composer update drupal/package --with-all-dependencies

undefined

composer update drupal/package --with-all-dependencies

undefined

Advisory persists after update

更新后安全公告仍然存在

Composer's local advisory database may be stale. Refresh it:

bash

composer audit --update-cache
composer audit

Composer的本地安全公告数据库可能已过期。刷新数据库：

bash

composer audit --update-cache
composer audit

Package cannot be updated without breaking other packages

无法更新包而不破坏其他依赖

Pin the conflicting package temporarily and file a follow-up:

bash

undefined

暂时固定冲突包并记录后续任务：

bash

undefined

Check the full dependency tree

查看完整依赖树

composer depends drupal/conflicting-package


Resolve the constraint in `composer.json` before retrying.

---

composer depends drupal/conflicting-package


在重试前解决`composer.json`中的约束问题。

---

Best Practices

最佳实践

Run
composer audit
before every deploy — catch new advisories early.
Use
--with-all-dependencies
— security fixes often require transitive updates.
Review
composer.lock
diff — confirm only expected packages changed.
Check the advisory link — understand what the vulnerability is before updating.

每次部署前运行
composer audit
— 尽早发现新的安全公告。
使用
--with-all-dependencies
— 安全修复通常需要更新传递依赖。
查看
composer.lock
差异 — 确认只有预期的包发生了变更。
查看安全公告链接 — 在更新前了解漏洞详情。

security-updates

Original

Translation

Security Updates for Drupal with Composer

使用Composer进行Drupal安全更新

Before You Start — Create a Branch

开始之前 — 创建分支

Audit for Vulnerabilities

审计漏洞

JSON output (for scripting)

JSON格式输出（用于脚本）

Audit without dev dependencies

排除开发依赖项的审计

Fix a Specific Vulnerable Package

修复特定存在漏洞的包

Example — fix a known advisory in drupal/core

示例 — 修复drupal/core中的已知安全公告

Fix All Packages with Advisories

修复所有存在安全公告的包

List vulnerable packages from audit output, then update each

从审计输出中列出存在漏洞的包，然后逐个更新

Verify No Vulnerabilities Remain

验证是否仍存在漏洞

Troubleshooting

故障排除

"Your requirements could not be resolved"

“无法解析您的依赖要求”

Check what requires the package

检查哪些依赖需要该包

Check what prevents the update

检查哪些因素阻止更新

Relax the constraint in composer.json if safe, then retry

如果安全的话，放宽composer.json中的约束，然后重试

Advisory persists after update

更新后安全公告仍然存在

Package cannot be updated without breaking other packages

无法更新包而不破坏其他依赖

Check the full dependency tree

查看完整依赖树

Best Practices

最佳实践

Example — fix a known advisory in
`drupal/core`

示例 — 修复
`drupal/core`
中的已知安全公告