diff --git a/web/core/modules/package_manager/src/Validator/ComposerPatchesValidator.php b/web/core/modules/package_manager/src/Validator/ComposerPatchesValidator.php
index c075b48..8db15df 100644
--- a/web/core/modules/package_manager/src/Validator/ComposerPatchesValidator.php
+++ b/web/core/modules/package_manager/src/Validator/ComposerPatchesValidator.php
@@ -7,6 +7,7 @@
 use Composer\Semver\Semver;
 use Drupal\Component\Serialization\Json;
 use Drupal\Core\Extension\ModuleHandlerInterface;
+use Drupal\Core\Site\Settings;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\Core\StringTranslation\TranslatableMarkup;
 use Drupal\Core\Url;
@@ -28,6 +29,8 @@
  *   example, be installed in the active directory but not the stage directory
  *   (or vice versa).
  * - It must be one of the project's direct runtime or dev dependencies.
+ * - By default, using composer-patches with Package Manager is disallowed unless
+ *   explicitly enabled via a settings.php flag.
  * - It cannot be installed or removed by Package Manager. In other words, it
  *   must be added to the project at the command line by someone technical
  *   enough to install and configure it properly.
@@ -73,28 +76,42 @@ public function validate(PreOperationStageEvent $event): void {
       $has_staged_update = FALSE;
     }
 
-    // If there's a staged update and the patcher has been installed or removed
-    // in the stage directory, that's a problem.
-    if ($has_staged_update && $plugin_installed_in_active !== $plugin_installed_in_stage) {
-      if ($plugin_installed_in_stage) {
-        $message = $this->t('It cannot be installed by Package Manager.');
-      }
-      else {
-        $message = $this->t('It cannot be removed by Package Manager.');
-      }
-      $messages[] = $this->createErrorMessage($message, 'package-manager-faq-composer-patches-installed-or-removed');
-    }
+    // Check if composer-patches is allowed by the settings.php flag
+    $allow_composer_patches = Settings::get('package_manager_allow_composer_patches', FALSE);
 
-    // If the patcher is not listed in the runtime or dev dependencies, that's
-    // an error as well.
-    if (($plugin_installed_in_active && !$is_active_root_requirement) || ($has_staged_update && $plugin_installed_in_stage && !$is_stage_root_requirement)) {
-      $messages[] = $this->createErrorMessage($this->t('It must be a root dependency.'), 'package-manager-faq-composer-patches-not-a-root-dependency');
+    // If composer-patches is installed but not explicitly allowed, that's an error
+    if ($plugin_installed_in_active && !$allow_composer_patches) {
+      $messages[] = $this->createErrorMessage(
+        $this->t('Using composer-patches with Package Manager is disallowed by default. To allow this combination, set $settings[\'package_manager_allow_composer_patches\'] = TRUE; in your settings.php file.'),
+        'package-manager-faq-composer-patches-disallowed'
+      );
     }
 
-    // If the plugin is misconfigured in either the active or stage directories,
-    // flag an error.
-    if (($plugin_installed_in_active && !$active_configuration_ok) || ($has_staged_update && $plugin_installed_in_stage && !$stage_configuration_ok)) {
-      $messages[] = $this->t('The <code>composer-exit-on-patch-failure</code> key is not set to <code>true</code> in the <code>extra</code> section of <code>composer.json</code>.');
+    // Only continue with other validations if composer-patches is allowed or not installed
+    if ($allow_composer_patches || !$plugin_installed_in_active) {
+      // If there's a staged update and the patcher has been installed or removed
+      // in the stage directory, that's a problem.
+      if ($has_staged_update && $plugin_installed_in_active !== $plugin_installed_in_stage) {
+        if ($plugin_installed_in_stage) {
+          $message = $this->t('It cannot be installed by Package Manager.');
+        }
+        else {
+          $message = $this->t('It cannot be removed by Package Manager.');
+        }
+        $messages[] = $this->createErrorMessage($message, 'package-manager-faq-composer-patches-installed-or-removed');
+      }
+
+      // If the patcher is not listed in the runtime or dev dependencies, that's
+      // an error as well.
+      if (($plugin_installed_in_active && !$is_active_root_requirement) || ($has_staged_update && $plugin_installed_in_stage && !$is_stage_root_requirement)) {
+        $messages[] = $this->createErrorMessage($this->t('It must be a root dependency.'), 'package-manager-faq-composer-patches-not-a-root-dependency');
+      }
+
+      // If the plugin is misconfigured in either the active or stage directories,
+      // flag an error.
+      if (($plugin_installed_in_active && !$active_configuration_ok) || ($has_staged_update && $plugin_installed_in_stage && !$stage_configuration_ok)) {
+        $messages[] = $this->t('The <code>composer-exit-on-patch-failure</code> key is not set to <code>true</code> in the <code>extra</code> section of <code>composer.json</code>.');
+      }
     }
 
     if ($messages) {