Closed dzdaniel closed 2 years ago
same here, we cannot deploy
Any ideas on how to temporarily bypass this error?
Any ideas on how to temporarily bypass this error?
Remove magento/composer-dependency-version-audit-plugin
Requesting your attention to this issue @korovitskyi, @ihor-sviziev, and @SilinMykola
@sidolov @sivaschenko @sdzhepa @fascinosum, please set the p1 or even p0 priority to this issue.
P0 please, our production deployment is struggling with this issue. Thanks
Any ideas on how to temporarily bypass this error?
composer install --no-plugins
@ihor-sviziev Is this an official package? Is it going to be public from now?
Any ideas on how to temporarily bypass this error?
composer install --no-plugins
This will break some scenarios. We run setup:di:compile
as part of our docker image build process, and doesn't work when --no-plugins
is used.
hello @dzdaniel, thank you for reporting this. This issue has been resolved, sorry for the inconvenience. Please confirm it works now
Thanks for working on this, @fascinosum. I am still getting the same error, though.
@fascinosum is there any delay/lag on the version to get public, perhaps? I confirm that the same error is still being produced
@fascinosum the issue is not resolved yet
you are right, there is a delay, a little more than I expected. It should now be available for everyone
if you're running a recent version of composer (tested with 2.2.4), you can workaround the issue by setting this in your composer.json
"config": {
"allow-plugins": {
[...]
"magento/composer-dependency-version-audit-plugin": false,
[...]
}
},
magento/composer:1.8.0
is not needed for any Magento OS version, but for the coming 2.4.4 release. We did not expect the release of this package to affect anyone, but "magento/composer-dependency-version-audit-plugin" caught this discrepancy. Sorry for the inconvenience. Now we know about this aspect and will prevent it in the future
I can confirm it's fixed. Thank for your hard work @fascinosum
Please do not disable this plugin unless you understand the risks. This plugin did exactly what it was supposed to do. This was identical to a real dependency confusion attack and if the composer package was malicious this plugin would have stopped it from causing harm. Please do not blindly disable plugins.
@nathanjosiah: I would only expect this error to trigger when trying to update to that version or are already using that version, not when running composer install
with version 1.7.0 in the composer.lock
file (which I believe was the problem here if I read the comments correctly?)
@hostep Maybe I'm reading this wrong but the original report definitely says composer update
. I see that @novikor recommended composer install --no-plugins
as a workaround but I don't see any indication that it was giving the dependency confusion error with that command. Without any plugins there would naturally be other errors with magento but not from the audit plugin.
Hmm, I'm still confused, @slackerzz wouldn't have deployments issues in this case (as I would suspect that his deployment only runs composer install
and never composer update
)
Would be great if anyone who ran into this could elaborate a bit on how it was triggered?
composer update
composer install
composer install
after a composer update
without the plugin active@hostep in my case it was a composer install
during a deploy, we use https://github.com/davidalger/capistrano-magento2
Okay thanks for the feedback! So that sounds like a bug in that magento/composer-dependency-version-audit-plugin
composer plugin. Because one mistake in the Magento release process can suddenly break everybody's composer workflow if you have that composer plugin active. And it's not a matter of saying "this will never happen again", because we're all humans and mistakes like this will happen again I'm afraid.
@nathanjosiah, do you agree that this needs to get fixed?
my case is also install: composer install --no-dev
. At that time, magento/composer
in my composer lock is at 1.6.0. No idea why plugin validate with 1.7.0(repo magento) is lower 1.8.0(packagist). I think there is a bug in plugin and they already fixed it.
I will have the team take a closer look now that we have more details. For internal reference I created AC-2139 to track this work.
@nathanjosiah thank you! Could you please re-open this issue / create some other publicly available issue to have an ability to track the status? Thank you!
@nathanjosiah: I would only expect this error to trigger when trying to update to that version or are already using that version, not when running
composer install
with version 1.7.0 in thecomposer.lock
file (which I believe was the problem here if I read the comments correctly?)
@hostep I agree with you 100% on this! I'm now getting a very similar error, albeit with a different package. Is there an open issue anywhere to track the problem whereby the audit plugin is returning an error, even when one is doing a composer install
and not referencing the higher packagist version?
Hi Magento team,
I'm getting issue with magento/composer when run command composer update on Magento 2.4.3 . This is the error message: