search

PHPCSStandards / composer-installer

Composer installer for PHP_CodeSniffer coding standards
https://packagist.org/packages/dealerdirect/phpcodesniffer-composer-installer
MIT License
549 stars 36 forks source link

Warning allow plugin on composer update #142

Closed LocalHeroPro closed 2 years ago

LocalHeroPro commented 2 years ago

Reproduce

$ rm - rf vendor composer.lock
$ composer update
//
- Installing dealerdirect/phpcodesniffer-composer-installer (v0.7.1): Extracting archive
dealerdirect/phpcodesniffer-composer-installer contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]
//

Is safe to allow or is some how to resolve that warning?

jrfnl commented 2 years ago

@LocalHeroPro It's perfectly safe to allow this. Once you do, the approval will be added to your composer.json and (as long as you commit the change), you won't asked again. This has to do with the new version of Composer which was released yesterday, please see the release announcement here: https://blog.packagist.com/composer-2-2/#more-secure-plugin-execution

A PR to update the readme with information about this is already open: #141

Potherca commented 2 years ago

Hi! TL;DR: It is safe to allow.

This is a new feature in Composer 2.2, meant to make plugin execution more secure.

The new allow-plugins config value enhances security for Composer runtime plugin execution. Composer will now prompt you the first time you use a plugin to be sure that no package can run code during a Composer run if you do not trust it.

see https://blog.packagist.com/composer-2-2/#more-secure-plugin-execution

As this plugin is meant to be run by Composer, you should select y, to indicate you trust our code to run.

If you do not know whether you can trust our code, review the source code to verify nothing malicious is going on. (either the online version or your local version in vendor/dealerdirect/phpcodesniffer-composer-installer/src/Plugin.php).

An update to our documentation has been made in #141 which to help explain this to users.

Potherca commented 2 years ago

@jrfnl Looks like you just beat me to the punch. :smile_cat:

jrfnl commented 2 years ago

@Potherca I love our timing (posting a reply the same moment) 😂

jrfnl commented 2 years ago

Closing as #141 has been merged.