Version 20.45.5 is not available in official repo.magento.com (nor in Github releases)

[denis-zyk]

When trying to upgrade ShipperHQ modules with composer, the error occurs as seen on the screenshot above ☝️

Here is the official Mangeto support article: https://support.magento.com/hc/en-us/articles/4410675867917-Composer-plugin-against-Dependency-Confusion-attacks

Expectations from extension developers

• There is no way to know for certain if the package for a plugin, if from a public repo, has been compromised or not. The plugin will detect when a public version of a package at packagist.org has a higher version than the one available from a private repo like repo.magento.com. We strongly recommend that extension developers avoid such situations and do not publish newer versions publicly than those available through repo.magento.com.
• Adobe Commerce understands that the Marketplace review process may delay extensions release availability, but the process is there to keep merchants safe and to help extensions developers find accidental mistakes they might have missed.

[wsadasmit]

Hi denis-zyk,

We have found there’s an issue installing ShipperHQ on the latest version of Magento 2.4.3 which can prevent the installation of newly-released versions some ShipperHQ modules. It’s an issue with composer - it’s not an issue with our software.

Following this change: "A new Composer plugin helps prevent dependency confusion and identifies malicious packages with the same names as internal packages on the public package repository. See the Adobe Releases New Composer Plugin with Magento 2.4.3 Release blog post."

When module-shipper is attempted to be installed you'll be presented with the error in your screenshot.

Impact This will affect any of our extensions that are listed on both Magento Marketplace and Packagist:

• ShipperHQ for Magento 2
• WebShopApps Matrix-rates
• WebShopApps Product-Rate
• Address Autocomplete

So at the moment (at the time this issue was posted, and for a short time immediately following the release of new versions), users on 2.4.3 can’t install ShipperHQ simply by following the installation instructions.

To Install Magento has explained the offending security module is optional and can be uninstalled. Some customers will balk at that, but at least it's something. So if the customer is game for it, they can run composer remove magento/composer-dependency-version-audit-plugin, after which the SHQ modules install without issue.

If you don't wish to go that route, waiting a week for the new release to also be updated in the Magento Marketplace and attempting to install again should be successful.

We've added these installation troubleshooting steps to our knowledgebase.

[denis-zyk]

1. I couldn't find where Magento says this new security measure is optional.
2. This doesn't explain why the latest version of the package isn't available in your private repo https://packages.shipperhq.com the exact same moment it's released on packagist public repo.
3. We can't wait for week or more being unable to deploy any other changes which are totally unrelated to SHQ, due to the issue with public vs private repo versions which breaks the whole composer install process.
4. In Magento's official article it literally says:

   We strongly recommend that extension developers avoid such situations and do not publish newer versions publicly than those available through repo.magento.com.