Composer package issue - Githubissues

pbaum83 commented 2 years ago

Hello,

Just an FYI: today I noticed the following error while running a build. It seems like the composer library might have been compromised.

Installing shipperhq/module-logger (20.5.0): Downloading (connecting...)···························Downloading (100%) ·········
- Installing shipperhq/library-ws (20.5.0): Downloading (connecting...)···························Downloading (100%) ·········
- Installing shipperhq/library-shipper (20.14.0): Downloading (connecting...)···························Downloading (100%) ·········
- Installing shipperhq/module-common (20.9.3): Downloading (connecting...)···························Downloading (100%) ·········
- Installing shipperhq/library-graphql (20.2.0): Downloading (connecting...)···························Downloading (100%) ·········
- Installing lcobucci/jwt (3.4.6): Downloading (connecting...)···························Downloading (0%) ···························Downloading (20%)·················Downloading (25%)·················Downloading (45%)·················Downloading (65%)·················Downloading (70%)·················Downloading (85%)·················Downloading (90%)·················Downloading (100%)
[Exception]
Higher matching version 20.48.1 of shipperhq/module-shipper was found in public repository packagist.org
than 20.48.0 in private https://repo.magento.com/. Public package might've been taken over by a malicious entity,
please investigate and update package requirement to match the version from the private repository

Is there anything we can do to resolve this on our end?

We have specified the following versions in our install:

        "shipperhq/library-graphql": "20.2.0",
        "shipperhq/library-shipper": "20.14.0",
        "shipperhq/library-ws": "20.5.0",
        "shipperhq/module-address-autocomplete": "20.3.3",
        "shipperhq/module-common": "20.9.3",
        "shipperhq/module-logger": "20.5.0",
        "shipperhq/module-shipper": "20.45.5",

Thanks, -Paul

ibraheemnabeelfauzi commented 2 years ago

Hey @pbaum83 - thanks for the heads up, this is known thing - here is the fix: https://docs.shipperhq.com/troubleshooting-magento-2-installations/#Installing_ShipperHQ_on_Magento_243_and_later

pbaum83 commented 2 years ago

Is that the proper solution to fix the problem removing the magento/composer-dependency-version-audit-plugin libarary?

We were able to resolve the problem by doing the following: composer require shipperhq/module-shipper:20.45.5 --no-plugins

ibraheemnabeelfauzi commented 2 years ago

@pbaum83 please see answer here noted by our lead Engineer Travis.

shipperhq / module-shipper

Composer package issue #115