Composer installation failed on M2.4.3

[jleslie]

[Exception] Higher matching version 20.3.0 of webshopapps/module-matrixrate was found in public repository packagist.org than 20.2.0 in private https://repo.magento.com. Public package might've been taken over by a malicious entity, please investigate and update package requirement to match the version from the private repository Still an issue, and still blocking installs. Disabling security is not an acceptable solution. Opening as follow-up to issue 104 which was closed but never fixed.

[anasshl]

I also have the same error. Is there any updates ?

[ibraheemnabeelfauzi]

Helllo @anasshl @jleslie - please run the following command: composer remove magento/composer-dependency-version-audit-plugin install the extension - and then you can re-install that module afterward.

Thanks!

[jleslie]

@ibraheemnabeelfauzi as I said in my initial post, disabling security is not an acceptable solution. Disabling security for one module is still disabling security. When do you plan on having this fixed. You are the only package people are consistently having this issue with.

[TravisBernard]

@jleslie @anasshl I'm one of the lead devs here. Let me clarify a few points.

• When Magento first released composer-dependency-version-audit-plugin we raised this as an issue to them. We even offered to make a pull request with the necessary changes to allow 'trusted' packages or to let the user to acknowledge the risk and bypass the check for a single install. This would be more in harmony with what Composer 2 already has built in. Magento declined on all points.
• We do - and will continue to - offer zero-day updates here on the repository. We attempt to keep the Magento Marketplace listing up to date however we've seen it take Magento anywhere from days to weeks to get a simple marketplace update approved. Those gaps where the marketplace listing is out of date is when this issue occurs.

The only workaround Magento have left us with at this moment is to temporarily uninstall the composer-dependency-version-audit-plugin, install matrixrate, then reinstall the audit plugin. We agree running your store without a security feature is a problem. But the security plugin is also not an 'active' security feature, it only turns on during composer updates and then all it's doing is checking if the public repo has gotten ahead of the private marketplace repo. This is effectively a 'do you trust this source' check. In this case since a higher version is expected you can temporarily uninstall the security check, install matrixrate, then reinstall the security check.

We're not happy about this workaround either and we're continuing to try to find a better solution however Magento has so far been resistant to improvements to the audit plugin. We'll update here if the situation improves.

[jleslie]

@TravisBernard thanks for taking the time to go through that. I definitely understand Magento being Magento.