slackerzz
commented
2 years ago same here, we cannot deploy
Closed dzdaniel closed 2 years ago
slackerzz
commented
2 years ago same here, we cannot deploy
rickeyf
commented
2 years ago Any ideas on how to temporarily bypass this error?
aigarsMage
commented
2 years ago Any ideas on how to temporarily bypass this error?
Remove magento/composer-dependency-version-audit-plugin
PauloPhagula
commented
2 years ago Requesting your attention to this issue @korovitskyi, @ihor-sviziev, and @SilinMykola
ihor-sviziev
commented
2 years ago @sidolov @sivaschenko @sdzhepa @fascinosum, please set the p1 or even p0 priority to this issue.
hoangngo-calvin
commented
2 years ago P0 please, our production deployment is struggling with this issue. Thanks
novikor
commented
2 years ago Any ideas on how to temporarily bypass this error?
composer install --no-plugins
bartoszkubicki
commented
2 years ago @ihor-sviziev Is this an official package? Is it going to be public from now?
giannello
commented
2 years ago Any ideas on how to temporarily bypass this error?
composer install --no-plugins
This will break some scenarios. We run setup:di:compile as part of our docker image build process, and doesn't work when --no-plugins is used.
fascinosum
commented
2 years ago hello @dzdaniel, thank you for reporting this. This issue has been resolved, sorry for the inconvenience. Please confirm it works now
sprankhub
commented
2 years ago Thanks for working on this, @fascinosum. I am still getting the same error, though.
korostii
commented
2 years ago @fascinosum is there any delay/lag on the version to get public, perhaps?
I confirm that the same error is still being produced
slackerzz
commented
2 years ago @fascinosum the issue is not resolved yet
fascinosum
commented
2 years ago you are right, there is a delay, a little more than I expected. It should now be available for everyone
giannello
commented
2 years ago if you're running a recent version of composer (tested with 2.2.4), you can workaround the issue by setting this in your composer.json
"config": {
"allow-plugins": {
[...]
"magento/composer-dependency-version-audit-plugin": false,
[...]
}
},magento/composer:1.8.0 is not needed for any Magento OS version, but for the coming 2.4.4 release. We did not expect the release of this package to affect anyone, but "magento/composer-dependency-version-audit-plugin" caught this discrepancy. Sorry for the inconvenience. Now we know about this aspect and will prevent it in the future
hoangngo-calvin
commented
2 years ago I can confirm it's fixed. Thank for your hard work @fascinosum
nathanjosiah
commented
2 years ago Please do not disable this plugin unless you understand the risks. This plugin did exactly what it was supposed to do. This was identical to a real dependency confusion attack and if the composer package was malicious this plugin would have stopped it from causing harm. Please do not blindly disable plugins.
hostep
commented
2 years ago @nathanjosiah: I would only expect this error to trigger when trying to update to that version or are already using that version, not when running composer install with version 1.7.0 in the composer.lock file (which I believe was the problem here if I read the comments correctly?)
nathanjosiah
commented
2 years ago @hostep Maybe I'm reading this wrong but the original report definitely says composer update. I see that @novikor recommended composer install --no-plugins as a workaround but I don't see any indication that it was giving the dependency confusion error with that command. Without any plugins there would naturally be other errors with magento but not from the audit plugin.
hostep
commented
2 years ago Hmm, I'm still confused, @slackerzz wouldn't have deployments issues in this case (as I would suspect that his deployment only runs composer install and never composer update)
Would be great if anyone who ran into this could elaborate a bit on how it was triggered?
composer updatecomposer installcomposer install after a composer update without the plugin activeslackerzz
commented
2 years ago @hostep in my case it was a composer install during a deploy, we use https://github.com/davidalger/capistrano-magento2
hostep
commented
2 years ago Okay thanks for the feedback! So that sounds like a bug in that magento/composer-dependency-version-audit-plugin composer plugin. Because one mistake in the Magento release process can suddenly break everybody's composer workflow if you have that composer plugin active. And it's not a matter of saying "this will never happen again", because we're all humans and mistakes like this will happen again I'm afraid.
@nathanjosiah, do you agree that this needs to get fixed?
hoangngo-calvin
commented
2 years ago my case is also install: composer install --no-dev. At that time, magento/composer in my composer lock is at 1.6.0. No idea why plugin validate with 1.7.0(repo magento) is lower 1.8.0(packagist). I think there is a bug in plugin and they already fixed it.
nathanjosiah
commented
2 years ago I will have the team take a closer look now that we have more details. For internal reference I created AC-2139 to track this work.
ihor-sviziev
commented
2 years ago @nathanjosiah thank you! Could you please re-open this issue / create some other publicly available issue to have an ability to track the status? Thank you!
aingham
commented
2 years ago @nathanjosiah: I would only expect this error to trigger when trying to update to that version or are already using that version, not when running
composer installwith version 1.7.0 in thecomposer.lockfile (which I believe was the problem here if I read the comments correctly?)
@hostep I agree with you 100% on this! I'm now getting a very similar error, albeit with a different package. Is there an open issue anywhere to track the problem whereby the audit plugin is returning an error, even when one is doing a composer install and not referencing the higher packagist version?
Hi Magento team,
I'm getting issue with magento/composer when run command composer update on Magento 2.4.3 . This is the error message: