This repository was archived by the owner on Apr 23, 2025. It is now read-only.
Suggest pulling CodeIgniter from Ubuntu, upgrading Ubuntu to 24.04#43
Open
kjetilk wants to merge 2 commits into
Open
Suggest pulling CodeIgniter from Ubuntu, upgrading Ubuntu to 24.04#43kjetilk wants to merge 2 commits into
kjetilk wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Upon a quick inspection, I noticed that the repo bundles CodeIgniter (in the
systemfolder) and various things in thevendorfolder. This practice has various security implications, so I suggest looking into changing this with some urgency.This suggested PR consists of two commits, a documentation update with what is required to remove the dependency from the bundle, and actually removing the bundle.
Bundling open source projects into your own repo is problematic, because those who deploy it will all need to stay on top of any security issues that may come up, unless they can rely on the community behind the repo.
Failure to do so may result in that you have known security vulnerabilities in the deployed web app. That's not to be taken lightly, in this day of automated AI attacks.
In this case, there have been no updates, which is a warning flag. In various communities, there are technical approaches to this problem, in
npm, there are audit tools and warnings to upgrade to the latest upstream version. I may be old, but that's not my preferred way, because that may force you to scramble to update unrelated matters as upstream changes.The better solution, IMHO, is available from Ubuntu in this case. CodeIgniter has been packaged and is available in Ubuntu 24.04 LTS, so in principle, you can just upgrade the backend image to 24.04, add the Ubuntu package to the install, and off you go.
In practice, it is rarely that easy, because backward compatibility may have been broken, both in Ubuntu (quite unlikely), in PHP, and in CodeIgniter itself. Thus, this would have to be tested in a test environment before it is deployed.
Nevertheless, it should be done, and I believe it is also important to do it for the code in
vendorfor the same reason. Instead, such code should be pulled in, either from Ubuntu as above, or by the deployment scripts, which can be automated here on Github.Type of change
How Has This Been Tested?
Has not been tested. It is not just deployable, but must be done in an upgrade