Composer installation failed on M2.4

[gkopec]

I tried to install it via composer but it said:

 [Exception]                                                                                                                                    
  Higher matching version 20.2.0 of webshopapps/module-matrixrate was found in public repository packagist.org                                   
                               than 20.1.4 in private https://repo.magento.com. Public package might've been taken over by a malicious entity,   
                               please investigate and update package requirement to match the version from the private repository

[wsadasmit]

Hi @gkopec, thanks for raising this. This blocker with composer is related to a recent security update that Adobe released in M2.4.3. Their specific change was:

A new Composer plugin helps prevent dependency confusion and identifies malicious packages with the same names as internal packages on the public package repository. See the Adobe Releases New Composer Plugin with Magento 2.4.3 Release blog post.

This update unfortunately flags our extension and prevents a composer install, until we can release our newest version in the Adobe Marketplace. This is pending as we speak, but we're just waiting their approval.

In the meantime, Adobe has told us the security module is optional and can be uninstalled. So if you're comfortable doing that, you can run:

composer remove magento/composer-dependency-version-audit-plugin

Then you'll be able to install our module via composer without issue. If you have any other questions, please don't hesitate to reach out!

[KZNcode]

Are there any issues with Magento 2.4.3-p1 release?

[wsadasmit]

@KZNcode if you are asking if this can occur on that version, yes, this plugin is currently expected to be in all versions of Magento later than 2.4.3.

If you're asking about some other issue, please open a new issue to discuss, or feel free to write to support@shipperhq.com if you have more general questions.

[Parism]

Given that Magento introduced the security update to protect from various threats, I think it is not a good idea to remove it as you suggest.

Is there any other way we can install you module to Magento 2.4.3?

Thank you in advance.

[wsadasmit]

Hi @Parism,

In case this might make it more acceptable to you, it should be fine to reinstall the security module after completing the SHQ installation. My understanding is that it just checks version numbers when installing so there shouldn't be any impact on behavior once installed.

Alternatively, if you wait (this can take a few days) and try installing again, it should allow the install with the security module still in place. (This issue occurs for a brief time immediately after a new SHQ module release, and is resolved once that release makes it onto the Magento Marketplace.)

[jleslie]

Hi @Parism,

In case this might make it more acceptable to you, it should be fine to reinstall the security module after completing the SHQ installation. My understanding is that it just checks version numbers when installing so there shouldn't be any impact on behavior once installed.

Alternatively, if you wait (this can take a few days) and try installing again, it should allow the install with the security module still in place. (This issue occurs for a brief time immediately after a new SHQ module release, and is resolved once that release makes it onto the Magento Marketplace.)

It's been more than a few days and this is still broken. Disabling a security module is not an acceptable solution.