You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .vortex/docs/content/workflows/development.mdx
+113-1Lines changed: 113 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -80,7 +80,7 @@ file to `.data/db.sql` and run `ahoy import-db`.
80
80
81
81
See [Drupal > Provision](../drupal/provision) for more details.
82
82
83
-
## Environment Variable Updates
83
+
## Environment variable updates
84
84
85
85
To update environment variables in your local development environment:
86
86
@@ -305,6 +305,118 @@ Composer Patches v2.x automatically generates a `patches.lock.json` file that co
305
305
composer update --lock
306
306
```
307
307
308
+
### Composer security auditing
309
+
310
+
Composer 2.9.0 introduced automatic security auditing that checks your dependencies for known security vulnerabilities and abandoned packages. This feature helps you maintain a secure codebase by alerting you to potential issues during package installation and updates.
311
+
312
+
#### Configuration Options
313
+
314
+
Configure audit behavior in your `composer.json` under the `config` section:
315
+
316
+
```json
317
+
{
318
+
"config": {
319
+
"audit": {
320
+
"abandoned": "report",
321
+
"block-insecure": true,
322
+
"ignore": {
323
+
"CVE-2024-1234": "The affected component is not in use in our application.",
324
+
"GHSA-xxxx-yyyy-zzzz": "Mitigated by additional security measures."
325
+
}
326
+
}
327
+
}
328
+
}
329
+
```
330
+
331
+
**Available Options:**
332
+
333
+
-**`block-insecure`**: Controls whether packages with security vulnerabilities block installation
334
+
-`true` (**Vortex** default): Blocks installation/update of vulnerable packages unless ignored
335
+
-`false`: Shows warnings but allows installation to proceed
336
+
-**`abandoned`**: Controls how abandoned packages are handled
337
+
-`report` (**Vortex** default): Shows abandoned packages as warnings but doesn't fail
338
+
-`fail`: Audit command fails with non-zero exit code
339
+
-`ignore`: Skips abandoned packages in audit reports
340
+
-**`ignore`**: Ignores specific security advisories by CVE or GHSA identifier (empty by default)
341
+
342
+
#### When to Use `block-insecure: false`
343
+
344
+
**Vortex** sets `block-insecure` to `true` by default to enforce security best practices. However, you may want to set it to `false` when:
345
+
346
+
- You need flexibility to evaluate vulnerabilities on your timeline
347
+
- No secure version is immediately available
348
+
- The vulnerability doesn't affect your specific use case
349
+
- You're in active development and need uninterrupted workflow
350
+
351
+
Keep it `true` (Vortex default) when:
352
+
353
+
- Working on production sites with strict security requirements
354
+
- Your deployment process can handle blocked installations
355
+
- You want to enforce immediate action on security vulnerabilities
356
+
- Your team has resources to quickly address security issues
357
+
358
+
:::warning Vortex Security-First Philosophy
359
+
360
+
**Vortex** adopts a security-first approach by setting `block-insecure: true` as the default. This prioritizes safety in automated deployments by preventing vulnerable packages from being installed without explicit review.
361
+
362
+
If you need to override this setting for backwards compatibility, you can modify the `audit.block-insecure` configuration in your project's `composer.json` file. However, we strongly recommend addressing vulnerabilities by updating packages or using the `ignore` configuration for assessed exceptions, rather than routinely disabling security blocking.
363
+
364
+
This approach ensures security issues are explicitly acknowledged and reviewed before being accepted into your codebase.
365
+
366
+
:::
367
+
368
+
#### Ignoring Specific Advisories
369
+
370
+
When you've assessed a vulnerability and determined it doesn't affect your project, you can ignore it:
371
+
372
+
```json
373
+
{
374
+
"config": {
375
+
"audit": {
376
+
"ignore": {
377
+
"CVE-2024-1234": "Component is not used in our implementation.",
378
+
"GHSA-xxxx-yyyy-zzzz": "Patched via custom security fix."
379
+
}
380
+
}
381
+
}
382
+
}
383
+
```
384
+
385
+
:::tip Document Your Decisions
386
+
387
+
Always include reasons when ignoring advisories into your Git commit messages. This helps your team understand why a vulnerability was deemed acceptable and makes it easier to review these decisions in the future.
388
+
389
+
:::
390
+
391
+
#### Running Audit Command
392
+
393
+
Check your dependencies for security issues manually:
394
+
395
+
```bash
396
+
# Audit all installed packages
397
+
composer audit
398
+
399
+
# Audit only production dependencies (exclude dev)
Copy file name to clipboardExpand all lines: .vortex/docs/content/workflows/releasing.mdx
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,6 +47,7 @@ Code goes "up" (from lower to higher environments) while database goes "down" (f
47
47
This means that the production database is the primary source of truth - it's what code is applied to. When performing a release, you are applying a new version of code to a database within a specific environment.
48
48
49
49
To ensure that code changes work correctly with real data structures, the following process is followed in lower environments:
50
+
50
51
1. Database is copied from a higher environment to a lower one (e.g., production → stage → development)
51
52
2. Code is deployed to that environment to be tested against the copied database
52
53
3. Testing is performed to ensure everything works correctly
@@ -136,9 +137,11 @@ gitGraph
136
137
Below are the typical steps to perform a release using git-flow. See [cheat sheet](https://danielkummer.github.io/git-flow-cheatsheet/) for a quick reference on git-flow commands.
137
138
138
139
1.**Start Release**
140
+
139
141
```bash
140
142
git flow release start X.Y.Z
141
143
```
144
+
142
145
Creates a `release/X.Y.Z` branch from `develop`. It is recommended to push
143
146
the branch to remote.
144
147
@@ -148,9 +151,11 @@ Below are the typical steps to perform a release using git-flow. See [cheat shee
148
151
- Release notes preparation
149
152
150
153
3.**Finish Release**
154
+
151
155
```bash
152
156
git flow release finish X.Y.Z
153
157
```
158
+
154
159
- Merges release branch to `main`
155
160
- Tags the release
156
161
- Merges back to `develop`
@@ -159,6 +164,7 @@ Below are the typical steps to perform a release using git-flow. See [cheat shee
159
164
4.**Deploy to Production**
160
165
-**Tag-based hosting:** Deploy the tag directly
161
166
-**Branch-based hosting (e.g., Lagoon):** Manually sync to `production` branch
167
+
162
168
```bash
163
169
git push origin main:production
164
170
```
@@ -190,12 +196,14 @@ During installation, you can choose between Calendar Versioning (CalVer), Semant
190
196
-`Z` = Hotfix/patch version (no leading zeroes)
191
197
192
198
#### Why CalVer
199
+
193
200
-**Release frequency transparency**: When you have multiple releases per month, dates make it easy to identify when a release happened
194
201
-**Intuitive tracking**: Stakeholders can immediately understand "this is from January 2025" vs memorizing version numbers
195
202
-**Natural progression**: No ambiguity about major vs minor changes - just the chronological order
196
203
-**Marketing alignment**: Easier to communicate to non-technical audiences ("our Q1 2025 release")
-**Breaking change communication**: Major version bump signals incompatible API changes
214
223
-**Dependency management**: Package managers can enforce compatible version ranges
215
224
-**Developer expectations**: Well-understood convention in the development community
216
225
-**Predictable upgrades**: Minor versions add functionality, patches fix bugs
217
226
218
-
#### Examples:
227
+
#### Examples
228
+
219
229
- ✅ Correct: `0.1.0`, `1.0.0`, `1.0.1`, `1.0.10`
220
230
- ❌ Incorrect: `0.1` (missing patch), `1` (missing minor and patch), `1.0.01` (leading zero)
221
231
@@ -263,6 +273,7 @@ Your project includes a `docs/releasing.md` file that serves as the canonical re
263
273
-**Release procedures** - Custom workflows specific to your project
264
274
265
275
You can extend this file with:
276
+
266
277
-**Detailed release procedures** - A comprehensive outline of _what_ actions to take during releases:
267
278
- Steps to create and finish releases
268
279
- Steps to deploy to production
@@ -279,6 +290,7 @@ You can extend this file with:
279
290
**Deployment Markers**: When configured, **Vortex** automatically creates deployment markers in New Relic when releases are deployed to your environments. These markers help correlate performance changes, errors, and other metrics with specific releases.
0 commit comments