Composer 2.2+ Authorized Plugins

Composer v2.2 includes a new security feature for plugin authorization:

As of Composer 2.2.0, the allow-plugins option adds a layer of security allowing you to restrict which Composer plugins are able to execute code during a Composer run.

As a result of that update, without specific configuration, Composer commands for Drupal projects, including:
composer create-project drupal/recommended-project drupal9
and
composer update
will not complete running until the user replies y multiple times during the operation, and CI operations will fail under most circumstances.

All Drupal core's required and dev required composer plugins are now listed as allowed for both drupal/recommended-project and drupal/legacy-project.

Sites not using one of those starter templates should adjust composer.json (depending on specific end-user Composer and continuous integration configuration).

Example code to add to composer.json for Drupal 9.x:

    "config": {
        "allow-plugins": {
            "composer/installers": true,
            "drupal/core-composer-scaffold": true,
            "drupal/core-project-message": true,
            "dealerdirect/phpcodesniffer-composer-installer": true
        },
    },

Example code to add to composer.json for Drupal 10.x:

    "config": {
        "allow-plugins": {
            "composer/installers": true,
            "drupal/core-composer-scaffold": true,
            "drupal/core-project-message": true,
            "drupal/core-vendor-hardening": true,
            "phpstan/extension-installer": true,
            "dealerdirect/phpcodesniffer-composer-installer": true
        },
    },

The changes to composer.json can also be made using composer, as the following example shows.

composer config allow-plugins.composer/installers true
composer config allow-plugins.drupal/core-composer-scaffold true
composer config allow-plugins.drupal/core-project-message true
composer config allow-plugins.drupal/core-vendor-hardening true