Closed phenaproxima closed 3 months ago
Looks like the upstream bug was fixed in Composer: https://github.com/composer/composer/issues/11704.
Do we want to just close this out?
Here's how we could test this out manually. In a Drupal project (just a regular recommended-project
will do), running composer update -vvv
should NOT have requests like this in it:
Downloading https://packages.drupal.org/files/packages/8/p2/consolidation/annotated-command.json
That's an example of Composer asking a repository for info on a package it does not have, and never has.
Can confirm that, testing manually with Composer 2.7.7, I didn't see any of those bad requests.
I discovered why Composer makes so many extra requests for packages that are not part of a particular repository (as surfaced in https://github.com/composer/composer/issues/11704 and https://github.com/php-tuf/drupal-project/pull/1) --
composer require
andcomposer update
will do a security audit by default, unless you pass the--no-audit
option. While auditing, repositories that support it are queried for all packages, even ones they don't provide.To be clear, this is an upstream bug in Composer and still needs to be fixed; I will update and repurpose https://github.com/composer/composer/issues/11704. But we can work around it by overriding
ComposerRepository::getSecurityAdvisories()
so that, if we are using anavailable-package-patterns
filter, we don't try to get security advisories for packages we don't provide.