Open FlorianSW opened 2 years ago
For reference, allow-plugins
is new in composer 2.2 - https://getcomposer.org/doc/06-config.md#allow-plugins
I also just now found this issue.
Docker mediawiki version mediawiki:1.37.2
adds support for composer
2.2+ according to release notes (before only composer 2.1.14 worked with MW 1.37.1).
But the new security setting blocks installation for e.g. SemanticMediaWiki which currently can only be installed with composer
when I try to use a composer.local.json
file.
And as docker images run non-interactively, I can't agree to add the composer/installers
into the allow-plugins
section. Without manually agreeing, the folder SemanticMediaWiki
can't be placed into extensions/
.
And hacking the original composer.json
file seems not stable over different releases as a third-party.
However, I'm not quite sure on what level: Should it be only the allow-plugins property, which probably would be fine to do unconditionally.
I think it makes sense to merge the whole config, just so additional options like sort-packages
, preferred-install
etc. can be properly merged in as needed.
Right now, suppose there is a root
composer.json
with the following peroperties set:(simplified)
and the following
composer.local.json
:Running
composer update
with this setup will try to install thecomposer/installers
plugin. However, as it is not mentioned in the mainallow-plugins
section, the user will be prompted to decide if this plugin is allowed to be installed or not.The composer-merge plugin should merge in the
allow-plugins
config from included into the main one. However, I'm not quite sure on what level: Should it be only theallow-plugins
property, which probably would be fine to do unconditionally. If it would make sense to consider the whole config property, it would most likely make sense to have amerge-config
(or alike) config for the merge-plugin, like it is already present for the extra and scripts properties.