Split off from #3255749: Composer v2.2 prompts to authorize plugins

Problem/Motivation

I'm seeing the message

For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins
You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.

on all automated test branches of 9.3.x-dev, 9.4.x-dev and 10.0.x-dev near the Drupal\Tests\Composer\Plugin\Scaffold\Functional\ManageGitIgnoreTest test.

I hope the attached patch (which seems to apply on all mentioned branches) will prevent that message.

Steps to reproduce

Look at a full console output of any full test run on drupal CI environment mentioned above.

Proposed resolution

Add an "allow-plugins" sub-section in the "config" section of the appropriate composer.json templates.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#3 3277025-test-only.patch1.5 KBspokje
#3 3277025-3.patch2.26 KBspokje

Comments

Spokje created an issue. See original summary.

spokje’s picture

spokje
Primary language Dutch
commented
Issue summary: View changes
spokje’s picture

spokje
Primary language Dutch
commented
StatusFileSize
new 3277025-3.patch2.26 KB
new 3277025-test-only.patch1.5 KB
spokje’s picture

spokje
Primary language Dutch
commented
Status: Active » Needs review

@The Powers That Be: The test-only patch was created by @longwave in #3255749-2: Composer v2.2 prompts to authorize plugins, please add credits

spokje’s picture

spokje
Primary language Dutch
commented
Related issues: +#3255749: Composer v2.2 prompts to authorize plugins
spokje’s picture

spokje
Primary language Dutch
commented
Assigned: spokje » Unassigned
wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Needs review » Reviewed & tested by the community

Test-only patch has this:

1) Drupal\Tests\Composer\Plugin\Scaffold\Functional\ManageGitIgnoreTest::testUnmanagedGitIgnoreWhenGitNotAvailable
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'Scaffolding files for fixtures/drupal-assets-fixture:\n
+'For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins\n
+You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.\n
+Scaffolding files for fixtures/drupal-assets-fixture:\n
   - Copy [web-root]/.csslintrc from assets/.csslintrc\n
   - Copy [web-root]/.editorconfig from assets/.editorconfig\n
   - Copy [web-root]/.eslintignore from assets/.eslintignore\n

The changes in the test logic are AFAICT only to get clean output, i.e. a cleaner string to compare against than HEAD gets.

The fix makes sense.

I don't see why we wouldn't go ahead with this?

The last submitted patch, 3: 3277025-3.patch, failed testing. View results

spokje’s picture

spokje
Primary language Dutch
commented

random JS test failure, back to RTBC.

alexpott credited longwave.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Version: 10.0.x-dev » 9.4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 8b44468ec3 to 10.0.x and 73d0a0c117 to 9.5.x and d1721377e6 to 9.4.x. Thanks!

Backported to 9.4.x since it is a test only fix. Nice to this oddity resolved.

Crediting @longwave as per #4

  • alexpott committed 8b44468 on 10.0.x 
    Issue #3277025 by Spokje, longwave: For additional security you should...

  • alexpott committed 73d0a0c on 9.5.x 
    Issue #3277025 by Spokje, longwave: For additional security you should...

  • alexpott committed d172137 on 9.4.x 
    Issue #3277025 by Spokje, longwave: For additional security you should...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.