20426: Include composer.lock and package-lock.json in releases

This issue affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update
20426	Bug reports	Security	public	2026-02-16 09:54	2026-02-16 10:39

Reporter	roelvm	Assigned To
Priority	none	Severity	minor
Status	new	Resolution	open

Summary	20426: Include composer.lock and package-lock.json in releases
Description	The official releases do not include composer.lock or package-lock.json. It would be very beneficial if those files were included in the official release builds. This helps us keep our systems safe, as we can use them to create Software Bill Of Material (SBOM) files and use those to track vulnerabilities in the software installed on our systems. I can create a MR for this if someone points me to the tooling that is used to create releases.
Steps To Reproduce	Steps to reproduce (Replace this text with detailed step-by-step instructions on how to reproduce the issue) Expected result (Write here what you expected to happen) Actual result (Write here what happened instead)
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	7.0.0-beta1+260121
I will donate to the project if issue is resolved	No
Browser
Database type & version	any
Server OS (if known)
Webserver software & version (if known)
PHP Version	any

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2026-02-16 09:54	roelvm	New Issue
2026-02-16 10:05	DenisChenu	Note Added: 84219
2026-02-16 10:05	DenisChenu	Bug heat	250 => 252
2026-02-16 10:39	roelvm	Note Added: 84220
2026-02-16 10:39	roelvm	Bug heat	252 => 254

DenisChenu 2026-02-16 10:05 developer ~84219	I think the best is to use the Git version for this ?

roelvm 2026-02-16 10:39 reporter ~84220	The Git version does not have those files either. It does have package.json and composer.json, but not package-lock.json or composer.lock.