Closed joshsedl closed 2 years ago
Thank you @joshsedl. This should not be skipped, as it's an important security feature to only allow listed plugins to run.
Instead, add the known, whitelisted ones to the composer.json in general before.
I know this is an important security feature, I meant allowing the composer packages we need to execute code, to do so
Ok, currently this should not be implemented, because there is no proper command to allow the plugins.
The problem is, that we cannot set the allowed plugins on startup. Using composer config
will not do anything, because we would need to set all values after creating the composer.json. Since we create the composer.json, using composer create -y 'drupal/recommended-project'
, we already need to allow plugins during setup, so defining the allowed plugins after initialization will not fix the first few prompts for 'drupal/recommended-project'.
Another workaround would be to call all composer methods with -n
or --no-interaction
. The problem with this is, that this will be deprecated July 2022 and all methods called like this will have the according plugins automatically disallowed:
For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.
One possible workaround could be to provide a template composer file, which already allows this. But quite strange, others should also have the problem in CI / CD...
Or we need to use a different strategy here in general.
Our strategy is good, we just need to wait for https://www.drupal.org/project/drupal/issues/3255749 to be solved, and then add all our additional startup composer packages to the "allow-plugins" section, via composer config. 👍
Very nice! https://www.drupal.org/project/drupal/issues/3255749 is fixed! Allowing the remaining composer packages in our startup script...
EXAMPLE: "Do you trust "dealerdirect/phpcodesniffer-composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]"