Move Composer's vendor folder outside of the web root folder

[gmclelland]

I was just wondering if it is possible in Processwire to move Composer's vendor directory outside of the web root folder to a location that is not web accessible?

Is there a configuration variable to control this?  I couldn't find information in my searches.

Why would I want to do this? ...for security.  I don't want script kiddies trying to scan for/exploit vulnerabilities in my installed php libraries.

[Ivan Gretsky]

Hey, @gmclelland

Seems like you can't change the composer autoloader location in ProcessWire.

But maybe there are ways to configure composer itself to store packages elsewhere? A quick search gave me this. Not sure it can help though)

 

[gmclelland]

Many thanks Ivan.  I'll open a github issue for this.

[gmclelland]

https://github.com/processwire/processwire-requests/issues/191

[Ivan Gretsky]

I tried to instruct composer running from PW root to put vendor one level up in the folder tree with vendor-dir setting. It seems not to work (at least with the relative path I provided). Did you manage to solve this, @gmclelland?

Or are you moving the vendor folder manually? If so, maybe a simple

require_once('../../vendor/autoload.php');

in site/init.php can help?

[gmclelland]

No, I haven't solved this, but I did open a new request for it in the github link above.  Let's see what Ryan has to say.

Quote

require_once('../../vendor/autoload.php');

That would probably work, but I think this should be configurable via Processwire.

[elabx]

Hi! Has anyone found a solutions for this? I have several sites that use the same composer modules i'd love if I could just install them globally for the user. Though suspecting from where the require_once happens, I feel my only choice would be using symlinks?

Just made a comment also in the GitHub issue.