Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning allow plugin on composer update #142

Closed
LocalHeroPro opened this issue Dec 23, 2021 · 5 comments
Closed

Warning allow plugin on composer update #142

LocalHeroPro opened this issue Dec 23, 2021 · 5 comments
Labels
documentation

Comments

@LocalHeroPro
Copy link

Reproduce

$ rm - rf vendor composer.lock
$ composer update
//
- Installing dealerdirect/phpcodesniffer-composer-installer (v0.7.1): Extracting archive
dealerdirect/phpcodesniffer-composer-installer contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]
//

Is safe to allow or is some how to resolve that warning?
@jrfnl
Copy link
Member

jrfnl commented Dec 23, 2021

@LocalHeroPro It's perfectly safe to allow this. Once you do, the approval will be added to your composer.json and (as long as you commit the change), you won't asked again.
This has to do with the new version of Composer which was released yesterday, please see the release announcement here: https://blog.packagist.com/composer-2-2/#more-secure-plugin-execution

A PR to update the readme with information about this is already open: #141

@Potherca
Copy link
Member

Hi! TL;DR: It is safe to allow.

This is a new feature in Composer 2.2, meant to make plugin execution more secure.

The new allow-plugins config value enhances security for Composer runtime plugin execution. Composer will now prompt you the first time you use a plugin to be sure that no package can run code during a Composer run if you do not trust it.

see https://blog.packagist.com/composer-2-2/#more-secure-plugin-execution

As this plugin is meant to be run by Composer, you should select y, to indicate you trust our code to run.

If you do not know whether you can trust our code, review the source code to verify nothing malicious is going on.
(either the online version or your local version in vendor/dealerdirect/phpcodesniffer-composer-installer/src/Plugin.php).

An update to our documentation has been made in #141 which to help explain this to users.

@Potherca
Copy link
Member

@jrfnl Looks like you just beat me to the punch. 😸

@jrfnl
Copy link
Member

jrfnl commented Dec 23, 2021

@Potherca I love our timing (posting a reply the same moment) 😂

@jrfnl
Copy link
Member

jrfnl commented Jan 25, 2022

Closing as #141 has been merged.

@jrfnl jrfnl closed this as completed Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Potherca @jrfnl @LocalHeroPro