Normalizing `composer.json` in other directory inconsistency

[kubawerlos]

Steps required to reproduce the problem

1. Having Composer 2.2 with the new allow-plugins feature
2. First composer.json, in the root, perfectly fine:

   {
   "require": {
       "ergebnis/composer-normalize": "^2.23.0",
       "phpstan/extension-installer": "^1.1.0"
   },
   "config": {
       "allow-plugins": {
           "ergebnis/composer-normalize": true,
           "phpstan/extension-installer": true
       }
   }
   }

3. Second composer.json, in subdirectory foo with a content (clearly, not normalized):

   {
   "require": {
       "psr/log" : "*",
   
       "psr/container" : "*"
   }
   }

4. We run in the root composer normalize foo/composer.json

Expected Result

• composer.json in foo is normalized, with no questions asked

Actual Result

Running ergebnis/composer-normalize by Andreas Möller and contributors.

ergebnis/composer-normalize contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "ergebnis/composer-normalize" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] n
phpstan/extension-installer contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "phpstan/extension-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] n
Successfully normalized subdirectory/composer.json.

Composer asks for plugins to be allowed (phpstan/extension-installer is only to show that it asks for all, not only about the currently used plugin), having using plugin denied it still normalizes composer.json.

I'd expect normalizing composer.json without any interaction, I'd understood not normalizing it after not allowing the plugins, but this behaviour is super weird.

[secretsayan]

Facing the same issue when using this plugin to normalize composer.json present in other directories. It would be good to have it working correctly before July 2022, when "allow-plugins" feature is strictly implemented.

[localheinz]

@kubawerlos @secretsayan

Not sure, but seems to me like this is expected behavior.

I will take a closer look.

[localheinz]

Possibly related to #738.

[secretsayan]

Update: Post composer 2.3.9 release running Composer normalize in this scenario throws an error of instead of a warning.

[localheinz]

@secretsayan

I‘ll see what I can do about it! Thank you for your report.

[secretsayan]

Here's a reference to the exact same issue https://github.com/composer/composer/issues/10935 for composer create-project command. We can see the same behaviour here, wherein plugins declared in CWD is getting loaded when we run composer normalize in a file present in a different directory.

[localheinz]

Thank you, @secretsayan!

[Seldaek]

Hopefully fixed by https://github.com/composer/composer/commit/0e59fbb46eee2b89245dc347bfb4d6efbc6f2591 - which is in Composer 2.3.10

[secretsayan]

@Seldaek I have checked with Composer 2.3.10 and found issue still present with composer normalize command.

[Seldaek]

Can you print the stack trace if you run normalize with -v? I'm assuming it fails from https://github.com/ergebnis/composer-normalize/blob/main/src/Command/NormalizeCommand.php#L140-L143 but this case should be handled by my fix in Composer if you are using normalize with a file which is not the default ./composer.json.

Maybe I missed smth though.

Anyway clear way to reproduce this would be interesting, as well as the stack trace.

[kubawerlos]

Quick scenario to reproduce:

• clone git@github.com:kubawerlos/php-cs-fixer-custom-fixers.git
• cd to .dev-tools and composer update (update, not install as there is lock present) there to update Normalize plugin
• cd to library root, edit composer.json and remove allow-plugins section
• try to run composer analyse or simply composer --working-dir=.dev-tools analyse which it actually does

• you should see:

  
  In PluginManager.php line 769:
  
    infection/extension-installer contains a Composer plugin which is blocked b  
    y your allow-plugins config. You may add it to the list if you consider it   
    safe.                                                                        
    You can run "composer config --no-plugins allow-plugins.infection/extension  
    -installer [true|false]" to enable it (true) or disable it explicitly and s  
    uppress this exception (false)                                               
    See https://getcomposer.org/allow-plugins

[secretsayan]

My composer.json: This is present in my CWD.

{
  "name" : "secretsayan/myrepo",
  "description": "This is the root composer.json",
  "license": "MIT",
    "require": {
        "ergebnis/composer-normalize": "^2.28"
    },
    "config": {
        "allow-plugins": {
            "ergebnis/composer-normalize": true
        }
    }
}

My target composer.json which I am trying to normalize.

{
  "description": "This composer is used for testing"
}

Output of composer diagnose:

Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.3.10
PHP version: 8.1.5
PHP binary path: /usr/local/Cellar/php/8.1.5/bin/php
OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022
cURL version: 7.83.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1o
zip: extension present, unzip present, 7-Zip not available

When I run this command:

composer normalize ../subject/composer.json -vvv

I get the following output in my local:

Reading ./composer.json (/Users/sayan.goswami/Workspace/Code/testingComposer/actor/composer.json)
Loading config file /Users/sayan.goswami/.composer/config.json
Loading config file /Users/sayan.goswami/.composer/auth.json
Loading config file ./composer.json (/Users/sayan.goswami/Workspace/Code/testingComposer/actor/composer.json)
Checked CA file /usr/local/etc/ca-certificates/cert.pem: valid
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): hg branch
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): fossil branch list
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): fossil tag list
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): svn info --xml
Reading /Users/sayan.goswami/.composer/composer.json (/Users/sayan.goswami/.homesick/repos/dotfiles/home/.composer/composer.json)
Loading config file /Users/sayan.goswami/.composer/config.json
Loading config file /Users/sayan.goswami/.composer/auth.json
Loading config file /Users/sayan.goswami/.composer/composer.json (/Users/sayan.goswami/.homesick/repos/dotfiles/home/.composer/composer.json)
Reading /Users/sayan.goswami/Workspace/Code/testingComposer/actor/vendor/composer/installed.json
Reading /Users/sayan.goswami/.composer/vendor/composer/installed.json
Loading plugin Ergebnis\Composer\Normalize\NormalizePlugin (from ergebnis/composer-normalize)
Running 2.3.10 (2022-07-13 15:48:23) with PHP 8.1.5 on Darwin / 20.6.0
Running ergebnis/composer-normalize by Andreas Möller and contributors.

Reading ../subject/composer.json (/Users/sayan.goswami/Workspace/Code/testingComposer/subject/composer.json)
Loading config file /Users/sayan.goswami/.composer/config.json
Loading config file /Users/sayan.goswami/.composer/auth.json
Loading config file ../subject/composer.json (/Users/sayan.goswami/Workspace/Code/testingComposer/subject/composer.json)
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): git describe --exact-match --tags
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): hg branch
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): fossil branch list
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): fossil tag list
Executing command (/Users/sayan.goswami/Workspace/Code/testingComposer/actor): svn info --xml
Reading /Users/sayan.goswami/.composer/composer.json (/Users/sayan.goswami/.homesick/repos/dotfiles/home/.composer/composer.json)
Loading config file /Users/sayan.goswami/.composer/config.json
Loading config file /Users/sayan.goswami/.composer/auth.json
Loading config file /Users/sayan.goswami/.composer/composer.json (/Users/sayan.goswami/.homesick/repos/dotfiles/home/.composer/composer.json)
Reading /Users/sayan.goswami/Workspace/Code/testingComposer/actor/vendor/composer/installed.json
ergebnis/composer-normalize contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "ergebnis/composer-normalize" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]

Expected Behaviour: I expect the command to run successfully without asking me to add the plugins to the allow-plugins config.

Exception Trace from a different CI System:

In PluginManager.php line 769:

  [Composer\Plugin\PluginBlockedException]
  ergebnis/composer-normalize contains a Composer plugin
 which is blocked by your allow-plugins config. You may add it to the list if
   you consider it safe.
  You can run "composer config --no-plugins allow-plugins.ergebnis/composer-normalize 
[true|false]" to enable it (true) or disable it explicitly and suppress this exception (false)
  See https://getcomposer.org/allow-plugins

Exception trace:
  at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Plugin/PluginManager.php:769
 Composer\Plugin\PluginManager->isPluginAllowed() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Plugin/PluginManager.php:189
 Composer\Plugin\PluginManager->registerPackage() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Plugin/PluginManager.php:485
 Composer\Plugin\PluginManager->loadRepository() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Plugin/PluginManager.php:95
 Composer\Plugin\PluginManager->loadInstalledPlugins() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Factory.php:431
 Composer\Factory->createComposer() at /home/travis/build/acquia/orca/vendor/ergebnis/composer-normalize/src/Command/NormalizeCommand.php:140
 Ergebnis\Composer\Normalize\Command\NormalizeCommand->execute() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/vendor/symfony/console/Command/Command.php:298
 Symfony\Component\Console\Command\Command->run() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/vendor/symfony/console/Application.php:1024
 Symfony\Component\Console\Application->doRunCommand() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/vendor/symfony/console/Application.php:299
 Symfony\Component\Console\Application->doRun() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Console/Application.php:335
 Composer\Console\Application->doRun() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/vendor/symfony/console/Application.php:171
 Symfony\Component\Console\Application->run() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/src/Composer/Console/Application.php:130
 Composer\Console\Application->run() at phar:///home/travis/.phpenv/versions/7.4.6/bin/composer/bin/composer:88
 require() at /home/travis/.phpenv/versions/7.4.6/bin/composer:29

[Seldaek]

OK I think I see the issue.. Probably should use the file's dir as CWD when loading a Composer instance like that, it'd make more sense. I'll see if I can fix that on the Composer side.

[Seldaek]

https://github.com/composer/composer/commit/93eb19e756aac57d134cb0350e42cbced2befc57 should resolve this - composer self-update --snapshot will let you test it for now.

[kubawerlos]

I can confirm it resolves the problem.

[secretsayan]

Thanks a lot @Seldaek!

[localheinz]

Closing as it seems that this issue has been resolved.