Panels Hotfix Branch

The release of Panels on Saturday took me a bit by surprise - mainly because it was labeled as a Security Release. Normally we release a new version of Lightning within 24 hours if one of its dependencies has a security release. In this case, there were several other factors involved that ultimately made us decide to wait.

Before I go any further, if you have a production website that depends on Lightning and need the security fix now, skip to the the Hotfix Release instructions below.

Why wait?

Two main reasons.

1. The security release flag is (IMHO) spurious
The issue that triggered the Security flag can be found here:

"Create content" is displayed unconditionally

Basically, all users were presented with a button to "Create Content" - even if they didn't have permission to do so. This doesn't mean that they were actually able to create content (they weren't). Unprivileged users would simply get a 403 if they clicked that link.

2. HEAD of 8.x-1.x is currently tied to Drupal Core 8.2.x
There is a (much anticipated) minor release of Drupal Core scheduled for this Wednesday, 5 October 2016. In anticipation of this release, Lightning merged our 8.2.x branch into HEAD last week. Why we chose to do that could warrant it's own blog post. But, in summary.:

D.O doesn't support SemVer for contrib projects, so we can't push a new (visible + build-able) branch to D.O without incrementing what is effectively our Major release number (currently `1`). In other words, our current branch is 8.x-1.x. Simply updating the version of Drupal core doesn't warrant incrementing that number. For that matter, when Lightning introduces major new functionality on 12 October - that is, the Workspace Preview System - we still won't increment that number. Incrementing that number is - and should continue to be - reserved for major BC breaking architectural changes. Rewrites.

Hotfix Release

In an effort to demonstrate our commitment to providing security releases, we have created a hotfix branch that is available on our GitHub clone. To use the hotfix branch, you'll need to tell Composer about the GH repo.

Add the following to your `repositories` key in your composer.json file:

{
    "type": "vcs",
    "url": "https://github.com/acquia/lightning"
}

And change the version of Lightning required so that it points to HEAD of the the hotfix-specific branch:

"drupal/lightning": "dev-8.x-2810259-hotfix"

For a complete example of how you might use this branch in your project, see the composer.json file included with the 8.x-panels-hotfix branch of Lightning Project.

Moving forward

On Wednesday - after Lightning has made its 8.x-1.06 release - you can remove the extra info from your `repositories` key and change your Lightning constraint back to `^8.1.0`.

Powered by Drupal Lightning