Composer v2.2 includes a new security feature for plugin authorization:
As of Composer 2.2.0, the allow-plugins option adds a layer of security allowing you to restrict which Composer plugins are able to execute code during a Composer run.
As a result of that update, without specific configuration, Composer commands for Drupal projects, including:
composer create-project drupal/recommended-project drupal9
and
composer update
will not complete running until the user replies y
multiple times during the operation, and CI operations will fail under most circumstances.
All Drupal core's required and dev required composer plugins are now listed as allowed for both drupal/recommended-project
and drupal/legacy-project
.
Sites not using one of those starter templates should adjust composer.json
(depending on specific end-user Composer and continuous integration configuration).
Example code to add to composer.json
for Drupal 9.x:
"config": {
"allow-plugins": {
"composer/installers": true,
"drupal/core-composer-scaffold": true,
"drupal/core-project-message": true,
"dealerdirect/phpcodesniffer-composer-installer": true
},
},
Example code to add to composer.json
for Drupal 10.x:
"config": {
"allow-plugins": {
"composer/installers": true,
"drupal/core-composer-scaffold": true,
"drupal/core-project-message": true,
"drupal/core-vendor-hardening": true,
"phpstan/extension-installer": true,
"dealerdirect/phpcodesniffer-composer-installer": true
},
},
The changes to composer.json can also be made using composer, as the following example shows.
composer config allow-plugins.composer/installers true
composer config allow-plugins.drupal/core-composer-scaffold true
composer config allow-plugins.drupal/core-project-message true
composer config allow-plugins.drupal/core-vendor-hardening true