Composer require fills lock file with 2tvenom/cborencode src and dist

[marceldekoning]

Summary

When I execute the composer require command after a clean installation, all the packages in the composer.lock file are replaced with references to the 2tvenom/cborencode package which makes it impossible afterwards to execute the composer install command because all the packages are returned 404.

Preconditions (*)

1. Magento 2.4.3
2. PHP 7.4
3. Composer V1

Steps to reproduce (*)

1. Clone a clean copy of Magento 2.4.3 with composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition
2. Require a package with composer require a/module-b
3. Inspect your composer.lock file.

Expected result (*)

1. All packages should have their own source and dist URL

Actual result (*)

1. All packages have the source URL set to https://github.com/2tvenom/CBOREncode.git
2. All distributions come from https://api.github.com/repos/2tvenom/CBOREncode/zipball/[randomstring]

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [X] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @marceldekoning. Thank you for your report. To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, please, review the Magento Contributor Assistant documentation.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

  :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[n2diving-dgx]

I also had problem when upgrading from M2.4.3 to M2.4.3-p1 after composer require magento/product-community-edition=2.4.3-p1

My work around was to: (1) rm composer.lock (2) view/edit composer.json to be sure "version":"2.4.3-p1" (3) composer config -g repo.packagist composer https://packagist.org (4) composer update

[pemann]

I had this same weird problem after upgrading from 2.4.2 to 2.4.3. What I did to resolve this was: (1) Remove dependency "magento/composer-root-update-plugin": "^1.1" from composer.json (2) Remove composer.lock file (3) Remove vendor folder (4) Run composer install

[marceldekoning]

Allright, thank you guys. Only removing "magento/composer-root-update-plugin" wasn't enough for me. I also had a package called: "magento/composer-dependency-version-audit-plugin".

After removing magento/composer-root-update-plugin, the 2tvenom/cborencode package was removed from my composer.lock but all the packages were mixed up. Didn't make any sense at all.

After removing the magento/composer-dependency-version-audit-plugin package, everything looked fine again.

I really don't know exactly what these modules suppose to do, but if they are included in the project, these weird behavior should be fixed.

[hostep]

@pdohogne-magento: any idea what could be going on here?

[Axel29]

Thank you for your help! It worked for me by removing magento/composer-dependency-version-audit-plugin and running composer update with composer 2 (I don't know why but with composer 1 I still had 3 packages that had the wrong URL, I could have fixed them manually but Composer 2 did it on it's own).

I've been struggling with that for a whole day until I found this post, thanks a lot!

[denis-zyk]

I've observed this weird behaviour some time ago, and none of the above workarounds have worked back then, except for the following one (similar to @Axel29):

0. rollback composer.lock file or remove it completely
1. rm -rf vendor/*
2. rm -rf var/vendor/*
3. switch to composer V2
4. composer clear-cache
5. composer install (composer.lock should be OK afterwards)
6. switch back to composer V1 - the issue should not be reproducible anymore

[Axel29]

I've observed this weird behaviour some time ago, and none of the above workarounds have worked back then, except for the following one (similar to @Axel29):

1. rollback composer.lock file or remove it completely
2. rm -rf vendor/*
3. rm -rf var/vendor/*
4. switch to composer V2
5. composer clear-cache
6. composer install (composer.lock should be OK afterwards)
7. switch back to composer V1 - the issue should not be reproducible anymore

The problem with removing completely the composer.lock file would be that some packages could be upgraded due to version constraints in the composer.json file (example: vendor/module:^1.7 could get the v1.7.9 instead of previously locked 1.7.1).

[denis-zyk]

The problem with removing completely the composer.lock file would be that some packages could be upgraded due to version constraints in the composer.json file (example: vendor/module:^1.7 could get the v1.7.9 instead of previously locked 1.7.1).

You are absolutely correct, but that wasn't the issue for us as we struggled to get a correct version of composer.lock file after upgrade in the first place, and we wanted other modules being upgraded anyway. Moreover, you said you had run composer update - which essentially updates packages listed in composer.json to the latest versions, just like in your example ;)

[jankovandeventer]

I had this issue today where my Magento 2 Base was replaced by 2tvenom.

workaround: magento/composer-dependency-version-audit-plugin

1. composer remove magento/composer-dependency-version-audit-plugin
2. magento/composer-root-update-plugin
3. removed composer.lock
4. removed vendor folder
5. composer clearcache
6. `composer install

What a hassle.

[m2-assistant[bot]]

Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Bravo]

Hi @marceldekoning

We have tried to reproduce this issue but for us, it is not reproducible.

Precondition: Php 7.4 Compose 2.1.6 Magento 2.4.3

We have followed below steps

1.Installed magento version 2.4.3

2. composer require shipperhq/module-shipper

   

3. Composer.lock file contains correct dist and source

   

Please let us know if we are missing any steps here.

[JonathanBBD]

This is still a problem.

Just reproduced during my own Magento upgrade from 2.3.7-p2 to 2.4.3-p1.

I followed these steps in https://devdocs.magento.com/guides/v2.4/comp-mgr/cli/cli-upgrade.html

(not within the steps, but since it's a composer issue, start with composer clear-cache)

composer require magento/composer-root-update-plugin ~2.0 --no-update
composer update
composer remove magento/product-community-edition --no-update
composer require-commerce magento/product-community-edition 2.4.3-p1 --no-update
composer update

Now composer.lock is now full saturated of 2tvenom/cborencode.

Thanks to @jankovandeventer I could fix the composer.lock file. You cannot skip any of his steps (I tried skipping the 'remove vendor' part but it fixed it when I removed the folder, clear my composer cache, deleted composer.lock and updated it)

[pdohogne-magento]

@JonathanBBD One note about the steps you have listed:

composer remove magento/product-community-edition --no-update
composer require-commerce magento/product-community-edition 2.4.3-p1 --no-update

If you are just moving between versions and not editions (e.g. from 2.3.7-p2 to 2.4.3-p1 and not from Magento Open Source to Adobe Commerce), you don't need the remove command. I don't think that's related to the issue here, but it's worth trying. I'll see if we can get that clarified in the docs.

Also, if you ever remove composer.lock it's a good idea to remove vendor as well; composer expects vendor to be empty if there's no lock file and thus doesn't clean it properly if it still exists (it tries to do the minimum necessary for the expected state for performance).

[zuongthaotn]

I have same problem, it happens every time I install a new extension by composer.

[edward-simpson]

Is there any chance there's a malicious nature to this? Imagine there's a fair amount of data to be gained by proxying all composer installs through a single endpoint?

[dfelton]

For what it is worth, I just reviewed a PR of a web agency's contribution to my company's project, and when reviewing the diff for the composer.lock file I too discovered this exact same issue was present in the PR that had been submitted.

Some searching around led me to this GitHub issue, and it relieved me (a little, not much) that others have experienced this problem too. I highly suspected something malicious was going on (still not entirely convinced there isn't...).

Despite attempting to reproduce the issue on my end with both Composer v1 and v2 I had no luck. Localhost testing showed that performing a rm -rf vendor/ && git reset --hard HEAD && composer install with the bad lock file in place did succeed in successfully installing packages, still, I will be rejecting the PR and asking the web agency what the heck happened for the file to get this way.

[rob-gonz]

Just had this occur to us on EE version going from 2.4.2 to 2.4.3. Something weird is going on with composer proxying in my opinion.

[tales-desde-mileto]

I can reproduce if I use composer 1 (1.10.24) But: https://devdocs.magento.com/guides/v2.4/install-gde/system-requirements.html Magento 2.4.3 --> "required" composer 2 Composer 1 with 2.4.3 is not in matrix of "system requirement" Perhaps the fix could be use composer 2 Same problem if you use composer 2?

[vandijkstef]

I had this same weird problem after upgrading from 2.4.2 to 2.4.3. What I did to resolve this was: (1) Remove dependency "magento/composer-root-update-plugin": "^1.1" from composer.json (2) Remove composer.lock file (3) Remove vendor folder (4) Run composer install

Reproduced with Composer 1.10.25 Mage 2.4.3-p1, upon new module install, and fixed by quoted above

[vandijkstef]

As this issue bothered me again, I went and tried to find something more:

I can confirm this issue using the steps in the original issue, using 'composer require picqer/php-barcode-generator' on both OSX (PHP 7.4.21 / composer 1.10.25) and WSL Ubuntu (PHP 7.4.27 / composer 1.10.23) using a fresh Magento 2.4.3.

I can also confirm that you have to delete both 'composer.lock' and 'vendor/' dir to be able to fix the issue with 'composer install'.

Here is the (final) composer.json file:

{
    "name": "magento/project-community-edition",
    "description": "eCommerce Platform for Growth (Community Edition)",
    "type": "project",
    "license": [
        "OSL-3.0",
        "AFL-3.0"
    ],
    "config": {
        "preferred-install": "dist",
        "sort-packages": true
    },
    "version": "2.4.3-p1",
    "require": {
        "magento/composer-dependency-version-audit-plugin": "~0.1",
        "magento/composer-root-update-plugin": "~1.1",
        "magento/product-community-edition": "2.4.3-p1",
        "picqer/php-barcode-generator": "^2.2"
    },
    "autoload": {
        "exclude-from-classmap": [
            "**/dev/**",
            "**/update/**",
            "**/Test/**"
        ],
        "files": [
            "app/etc/NonComposerComponentRegistration.php"
        ],
        "psr-0": {
            "": [
                "app/code/",
                "generated/code/"
            ]
        },
        "psr-4": {
            "Magento\\": "app/code/Magento/",
            "Magento\\Framework\\": "lib/internal/Magento/Framework/",
            "Magento\\Setup\\": "setup/src/Magento/Setup/"
        }
    },
    "require-dev": {
        "allure-framework/allure-phpunit": "~1.4",
        "dealerdirect/phpcodesniffer-composer-installer": "^0.7.0",
        "friendsofphp/php-cs-fixer": "~2.18.1",
        "lusitanian/oauth": "~0.8.10",
        "magento/magento-coding-standard": "*",
        "magento/magento2-functional-testing-framework": "^3.0",
        "pdepend/pdepend": "~2.7.1",
        "phpcompatibility/php-compatibility": "^9.3",
        "phpmd/phpmd": "^2.8.0",
        "phpstan/phpstan": "^0.12.77",
        "phpunit/phpunit": "^9",
        "sebastian/phpcpd": "^6.0.3",
        "squizlabs/php_codesniffer": "~3.5.4",
        "symfony/finder": "^5.2"
    },
    "conflict": {
        "gene/bluefoot": "*"
    },
    "autoload-dev": {
        "psr-4": {
            "Magento\\PhpStan\\": "dev/tests/static/framework/Magento/PhpStan/",
            "Magento\\Sniffs\\": "dev/tests/static/framework/Magento/Sniffs/",
            "Magento\\TestFramework\\Inspection\\": "dev/tests/static/framework/Magento/TestFramework/Inspection/",
            "Magento\\TestFramework\\Utility\\": "dev/tests/static/framework/Magento/TestFramework/Utility/",
            "Magento\\Tools\\": "dev/tools/Magento/Tools/",
            "Magento\\Tools\\Sanity\\": "dev/build/publication/sanity/Magento/Tools/Sanity/"
        }
    },
    "minimum-stability": "stable",
    "prefer-stable": true,
    "repositories": [
        {
            "type": "composer",
            "url": "https://repo.magento.com/"
        }
    ],
    "extra": {
        "magento-force": "override"
    }
}

I can reproduce if I use composer 1 (1.10.24) But: https://devdocs.magento.com/guides/v2.4/install-gde/system-requirements.html Magento 2.4.3 --> "required" composer 2

I see composer 2 only required starting at Mage 2.4.4+, besides theres still packages not available in Composer 2 for me. Maybe it changed in the meantime.

May I stress that installing and/or updating a package takes A LOT more time with this issue around?

Please let us know if we are missing any steps here.

@engcom-Bravo You missed we're all doing this on Composer 1, which should be the version according to the documentation right now.

Furthermore I tried 'composer update' with composer-dependency-version-audit-plugin and composer-root-update-plugin REMOVED, but this didn't solve anything. I assume the others that have been lucky, accidently also deleted both the lock-file and the vendor dir

[agorbulin]

I confirm the problem on Magento Cloud 2.4.4 + composer 1.10.22 After switching to composer 2.3.2, problem solved. After switching back to composer 1.10.22, problem comes back.

[yuriichayka]

Seems the issue appears only when you specify the exact version when requiring some module, for example - composer require amasty/meta:1.3.2

My STR:

1. Have Magento 2.4.3 EE installed with PHP 7.4.28 and composer 1.10.22.
2. Make sure that "composer/composer" in composer.lock is of 1.10.22 version, by requiring it in the composer,json
3. composer require magento/product-enterprise-edition:2.4.4 --no-update
4. composer update
5. composer require amasty/meta:1.3.2

And a workaround seems to be removing 'magento/composer-dependency-version-audit-plugin', as follows in the root composer.json:

1. Add the following to the root composer.json:

           "replace": {
               "magento/composer-dependency-version-audit-plugin": "*"
           }

2. remove vendor directory
3. composer update OR just add the mentioned instruction to compose.json before doing composer update for 2.4.4 version.

[yuriichayka]

Hi @engcom-Bravo Can you please try reproducing it again by the steps provided above?

[fabrice-dresscodes]

Hi,

I got the same problem today when migrating from Community 2.3.3 to 2.4.4.

Deleting the composer.lock and vendor/* folder let the composer installation finishing.

[necrojan]

Got the same problem. Mine's fixed by following @n2diving-dgx instructions.

[janssensjelle]

Got the same issue here. The steps mentioned above didn't resolve it for me.

Magento 2.4.3-p2 - PHP 7.4.26 - composer 1.10.26

For me the fix was to replace magento/module-two-factor-auth

[m2-assistant[bot]]

Hi @engcom-Dash. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
     Details

     If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.
• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
     Details

     - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
     - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
     - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[m2-assistant[bot]]

Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Lima]

:heavy_check_mark: Issue confirmed

Issue got reproduced in 2.4.4 && 2.4.5 branch.

Description: While installing extension all the packages in the composer.lock file ,source and dist url are replaced with references to the 2tvenom/cborencode package.

Pre-requisite:

1. Magento 2.4.3
2. PHP 7.4
3. Composer V1

Steps to reproduce:

1. Upgrade magento 2.4.3 to magento 2.4.4 .
2. Run composer require shipperhq/module-shipper in terminal.
3. Inspect your composer.lock file.

Expected result:

1. All packages should have their own source and dist URL

Actual result:

1. All packages have the source URL set to https://github.com/2tvenom/CBOREncode.git
2. All distributions come from https://api.github.com/repos/2tvenom/CBOREncode/zipball/[randomstring]

Screenshots:

Other package source:

Note : Same issue observed while upgrading from 2.4.4 to 2.4.5.

Hence,confirming the issue.

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-6505 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Lima. Thank you for verifying the issue.
Issue Available: @engcom-Lima, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[github-jira-sync-bot]

:x: Cannot export the issue. This GitHub issue is already linked to Jira issue(s): https://jira.corp.adobe.com/browse/AC-6505

[devteam-carmelo]

Using composer 2 seems to solve the issue.

[vandijkstef]

Using composer 2 seems to solve the issue.

Yes. But 2.4.3-X and 2.4.4-X has a support for Composer 1 according to the documentation (https://experienceleague.adobe.com/docs/commerce-operations/installation-guide/system-requirements.html).

And half this thread has been about making aware that this is limited to Composer 1. If we wait till EOL of 2.4.3/2.4.4 we can close this issue indeed

[DominicWatts]

If you are staying with Composer 1 the Solution for me was as follows:

• rename ./vendor and composer.lock
• hard set a load of versions in composer.json to match current versions (to stop unnecessary upgrades)
• run composer install

Some development tools (require-dev) were upgraded but otherwise I got a clean composer.lock and a stable site.