Composer install getting failed magento/composer 1.9.0

[asanka-atapattu]

Running magento 2.4.3-p3 and because of the latest release magento/composer 1.9.0, Composer install i getting failed.

Higher matching version 1.9.0 of magento/composer was found in public repository packagist.org than 1.8.0 in private https://repo.magento.com. Public package might've been taken over by a malicious entity, please investigate and update package requirement to match the version from the private repository

What is the best solution for this? Thanks

[4ctobias]

Same issue here, as we do not include magento/composer directly in our composer.json we can not follow up with the suggested procedure from the error message. The package is required by magento/magento2-base - so its a dependency we can not/won't influence here.

Best solution might be to get the 1.9.0 also in the private repository. Was it just forgotten to be pushed there also?

[RBotfield]

Found a workaround package by the guys at Ampersand to replace the "audit" plugin that causes the issue, which is actually debated as obsolete in composer 2, see here.

The package to require: https://packagist.org/packages/ampersand/replace-magento-composer-dependency-version-audit-plugin

[hoangngo-calvin]

it has happened before, some info might helpful: https://github.com/magento/composer/issues/33

[reense]

Temporary hack: Add it to the replace section of your composer.json file, like so:

{
    "replace": {
        "magento/composer-dependency-version-audit-plugin": "*"
    }
}

[t-heuser]

Hey @fascinosum @ihor-sviziev @sidolov, just want to bring your attention to this, it broke our deployment to production, please fix as soon as possible.

[qlhu]

Hey @fascinosum @ihor-sviziev @sidolov, just want to bring your attention to this, it broke our deployment to production, please fix as soon as possible.

Same here.

[DavidLambauer]

+

[DavidLambauer]

He knew it... @hostep

[thomas-kl1]

Temporary hack: Add it to the replace section of your composer.json file, like so:

{
    "replace": {
        "magento/composer-dependency-version-audit-plugin": "*"
    }
}

I suggest to use the exclude instruction on the archive in your repositories section of the composer.json file:

"magento": {
            "type": "composer",
            "url": "https://repo.magento.com/",
            "exclude": ["magento/composer-dependency-version-audit-plugin"]
        },

EDIT: it's safer to exclude from public packagist repository: https://github.com/magento/composer/issues/34#issuecomment-1432920391

[asanka-atapattu]

Found that this solution also works fine,

"repositories": [
        {
            "type": "composer",
            "url": "https://repo.magento.com/",
            "canonical": false
        }
    ]

But what will be the solid solution for this?

[Prunecreation]

Hi everybody, if i understand well , the security plugin did exactly what it was supposed to do, prevent a composer install when it founds that the version in pubblic reposiroty is higher than the one in private repository. Ok disabling it will do the job, but it's here for a reason, prevent installing malicious package from public repository, so i'm not sure this is the good way (lets says that the current package in the public repository is a fake one, everybody is goining to install it) The issue here is that the private repository has not been updated in the same way than the public one.

[hostep]

@Prunecreation: The composer security plugin from Magento should not complain when you ask it to install a known good version that's in composer.lock of a project and which points to repo.magento.com. It should only complain when you try to upgrade to an unknown version with composer.

That's a bug and it needs to get fixed, because it will happen again, and again, and again ...

[4cpatrickgebhardt]

The following workaround was provided by the adobe commerce support. Soulution 2 works for us.

Solution 1: install the latest version from Adobe's Marketplace

Please add --no-plugins to your composer required command.

For example: composer require magento/composer --no-plugins.

This will ignore the above module execution and will not check against packagist for newer versions.

Solution 2: Tell the composer Magento is not a canonical repo

This way, if a newer version is available at packagist, it will be installed.

To do this, open composer.json file and add "canonical": false to Magento's repository, like follows: "repositories": [ { "type": "composer", "url": "https://repo.magento.com/", "canonical": false } ]

Note: Solution 2 may not work with all the plugins

[kallard1]

Switch allowed plugin to false : "magento/composer-dependency-version-audit-plugin": false

It's work for me

[jakwinkler]

I run out of coffee this morning, this was a great replacement ^__^

[hostep]

Please don't take the advise of @Prunecreation (which got deleted after posting this comment) or @4cpatrickgebhardt, it decreases security. The packages from repo.magento.com should be more trusted than the ones from packagist.org (that's what this magento/composer-dependency-version-audit-plugin is supposed to enforce).

Magento Adobe Commerce support team really shouldn't give out such advise...

[Prunecreation]

Hi @hostep , i change the fix i provide to exclude the magento/composer package to be search in the public repository of packagist (so it will be only searched in the private repo.magento.com and the security plugin will not complain). No need to remove the security plugin (never good) and no need to pass the all repo.magento.com as non canonical (never good neither cause it impact all modules)

Here the fix: Add the public packagist repository to your composer.json (even if it wasn't declare before, it's the default composer repository, but by declaring it you are able to exclude a package like i do):

    "packagist": {
        "type": "composer",
        "url": "https://packagist.org",
        "exclude": ["magento/composer"]
    }

[convenient]

Found a workaround package by the guys at Ampersand to replace the "audit" plugin that causes the issue, which is actually debated as obsolete in composer 2, see here.

The package to require: https://packagist.org/packages/ampersand/replace-magento-composer-dependency-version-audit-plugin

@hostep is correct and you shouldn't just disable this plugin unless you have your packages under tight control. With private packagist for example we only have one place to pull packages from, and the source of a package does not change so this kind of issue cannot happen in our scenario.

I need to make the README on that repo more explicit, it kind of assumes that you know how/why you're replacing the audit plugin.

[KevinMace]

Version 1.9 is now available from the Magento repo, so this is no longer an issue (until a newer version is released...)

[asanka-atapattu]

Version 1.9 is now available from the Magento repo, so this is no longer an issue (until a newer version is released...)

Awesome

[asanka-atapattu]

Confirming Version 1.9 is now available from the Magento repo, so this is no longer an issue!

until a newer version is released :) @KevinMace

[admanesachin]

HI @asanka-atapattu would you mind sharing your composer.json, just trying to understand and reproduce the issue so that we can have a permanent solution to this.

[hostep]

@admanesachin: this was a problem in publishing version 1.9.0 of the magento/composer package to repo.magento.com, it was only published to packagist.org resulting in this problem which got detected by the magento/composer-dependency-version-audit-plugin. It was then finally published to repo.magento.com a few hours ago which solved the problem.

No need to look into this specific problem, the details are already known within Adobe. If this needs to be properly fixed so this doesn't happen anymore in the future, at least 2 things need to happen:

• you'll need to look into decent procedures (that are preferably automated) for releasing certain composer packages outside of the normal Magento release schedule.
• a bug in magento/composer-dependency-version-audit-plugin should be fixed so it doesn't do its check upon composer install when a valid composer.lock file already exists.

Just talk to @sidolov if you want to know more.

[asanka-atapattu]

Hi @admanesachin

I agree with @hostep I can not to publish composer.json here because it is a live site.