magento / composer-dependency-version-audit-plugin
Validating packages through a composer plugin
Installs: 563 457
Dependents: 4
Suggesters: 0
Security: 0
Stars: 4
Watchers: 9
Forks: 8
Open Issues: 10
Type:composer-plugin
Requires
- composer-plugin-api: ^1.0 || ^2.0
- composer/composer: ^1.9 || ^2.0
Requires (Dev)
- phpunit/phpunit: ^9
README
This composer plugin is used to protect Adobe Commerce merchants from Dependency confusion attacks. It will detect when a public version of a package
at packagist.org has a higher version than the one available from a private like repo.magento.com. When you try to install/update packages with composer,
if it detects a potential issue, the plugin will give you a recommendation message and stop the process.
By default the plugin will obey the stability configuration in the composer.json config file which is stable
by default. If you would like to be covered for unstable versions of a package (dev, alpha, beta, RC), you can either change the minimum-stability
level or explicit require a dev version or only betas with the version constraint for ex: ‘^1.0.2-beta1’
Installation
composer require magento/composer-dependency-version-audit-plugin
Usage
When you install/update composer, the composer plugin will stop the process if it detects a potential Dependency Confusion attack. In that case, composer install/update will fail with an error message similar to:
Higher matching version x.x.x of package/name was found in public repository packagist.org than x.x.x in private.repo.
Public package might've been taken over by a malicious entity;
please investigate and update package requirement to match the version from the private repository.