composer: Composer 2.7.0 usage with root user leads to plugins not being loaded

Edit from @Seldaek: Here is an explanation and solution:

The problem stems from the fact that when running as root, for safety we now disable plugins. If running interactively Composer prompts you whether you want to enable them, but when non-interactive we just disable them and output a warning.

If you want to allow plugins to run you should set the COMPOSER_ALLOW_SUPERUSER=1 environment variable. This will suppress the warning and let Composer run as usual even when running as root.

However, you should IMO only do this if you can ensure you run trusted code, or if you are in a disposable environment/containerized CI that will get reset at the end of the run anyway. If you run composer with sudo in production machines however IMO you are likely doing something wrong and you should re-evaluate these processes instead of simply suppressing the errors.

Original issue text:

Our running platform is AWS ElasticBeanstalk. The deployment process is failing when using composer 2.7.0 whereas success when using 2.6.6.

sh: symfony-cmd: command not found Script symfony-cmd handling the auto-scripts event returned with error code 127

The problem is that AWS ElasticBeanstalk run composer as root (as I can see from logs). composer 2.7.0 is fixing CVE-2024-24821…

To solve the problem, I force the version of composer to version 2.6.6 : composer self-upgrade 2.6.6.

I opened this issue to help other people to find a solution.

About this issue

Original URL
State: closed
Created 5 months ago
Reactions: 9
Comments: 24 (11 by maintainers)

Commits related to this issue

Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 — committed to Seldaek/composer by Seldaek 5 months ago
Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 — committed to Seldaek/composer by Seldaek 5 months ago
Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 — committed to Seldaek/composer by Seldaek 5 months ago
Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 (#11842) — committed to composer/composer by Seldaek 5 months ago
PB-29625 Set COMPOSER_ALLOW_SUPERUSER to fix pipelines failing See: https://github.com/composer/composer/issues/11839 — committed to passbolt/passbolt_api by ishanvyas22 5 months ago
PB-29625 Set COMPOSER_ALLOW_SUPERUSER to fix pipelines failing See: https://github.com/composer/composer/issues/11839 — committed to passbolt/passbolt_api by ishanvyas22 5 months ago
tec: Fix installation of dependencies in the Docker image For security reasons, Composer now disables plugins when running as root. Unfortunately, this broke the build of the Docker image. Indeed Sym... — committed to Probesys/bileto by marien-probesys 4 months ago

Most upvoted comments

Perhaps what had confused me is that I didn’t change anything relevant from yesterday, but it just suddenly stopped working because of the implicit bump up in version from 2.6.6 to 2.7.0, but this was not visible anywhere, whilst the behavior changed.

Perhaps something like adding --strict to make sure that it always stops on warnings is useful.

Or perhaps make it default to stop on warnings, and adding an additional --ignore-warnings if you don’t care.

oliveradria on Feb 8, 2024

IMHO, this is a breaking change introduced in a minor version but semver states: MINOR version when you add functionality in a **backward compatible** manner.

Now all my containerized symfony applications are failing to deploy, and I don’t even use AWS ElasticBeanstalk.

gnumoksha on Feb 14, 2024

Right, added it 👍🏻

Seldaek on Feb 13, 2024

It’s bitbucket pipelines running everything as root? Do you see a composer warning that plugins have been disabled because it’s running as root?

If so try setting the COMPOSER_ALLOW_SUPERUSER=1 environment variable, that’s a more appropriate fix than downgrading

Seldaek on Feb 8, 2024

As 2.7 breaks some AWS Elastic Beanstalk production environments, maybe add a quick note to the changelogs of composer. As I read the changelogs but still encountered the issue.

Something like:

If you see errors with missing commands (symfony-cmd: command not found) or other failures and you are relying on plugins and running Composer as root (for example when you use AWS ElasticBeanstalk), read https://github.com/composer/composer/issues/11839

maxvisser on Feb 13, 2024

For me it looks like this Screenshot from 2024-02-08 21-33-43

and the error

sh: 1: symfony-cmd: not found

shows up after about 190 lines. So maybe I just didn’t make the connection that it was the root user thing on lines 2/3 that caused it.

oliveradria on Feb 8, 2024

Ah, brilliant, thank you @Seldaek !

                  script:
                      - apt-get update && apt-get install -y unzip
                      - docker-php-ext-install pdo_mysql
                      - cp .env.ci_test .env
                      - cp .env.ci_test .env.test
                      - export COMPOSER_ALLOW_SUPERUSER=1
                      - curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
                      - composer install --prefer-dist --no-interaction
                      - ./vendor/bin/phpunit --testdox --colors="always"

This works without a problem and with composer v2.7.0.

oliveradria on Feb 8, 2024

This is closed but I’ll ask here because maybe somebody sees this. Today we also got lucky and took our productions site down. I’m wondering, shouldn’t Composer return error code so Docker would not finish the build? I mean if it’s not working properly under root, shouldn’t it be more vocal?

hkirsman on Apr 4, 2024

It seems like this change should have been update of major version.

stefanak-michal on Feb 29, 2024

I spent the entire morning debugging why at first, the web folder was not created by Drupal project scaffolding from my Docker image. I then used the COMPOSER_ALLOW_SUPERUSER=1 setting and that fixed that issue. I then spent the entire afternoon and evening trying to figure out why commands such as ./vendor/bin/drush from my container would fail with this error

Fatal error: Uncaught Error: Class “Drupal” not found in /var/www/html/vendor/drush/drush/src/Boot/DrupalBoot8.php:93

After reverting COMPOSER_ALLOW_SUPERUSER=1 and applying the composer self-update 2.6.6 solution, things restarted working as intended. This indicates to me that there’s more to the solution than just setting COMPOSER_ALLOW_SUPERUSER

Arr-n-D on Feb 28, 2024

You’re right, I edited the title and issue to add a clear explanation of what is going on and how to work around it and when it is ok to work around. IMO in CI this isn’t a nasty workaround it’s fine, although I don’t really understand why these CI require you to run as root.

I am working on some tweaks to hopefully highlight the problem a bit closer to where it causes things to break.

Seldaek on Feb 9, 2024

I had the same problem in bitbucket-pipelines.yaml. It’s a simple setup, but I managed to fix it for now by adding a self-update

- curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
- composer self-update 2.6.6  # <-- without this, it fails
- composer install --prefer-dist --no-interaction

Online research shows, that this usually fails when symfony/flex is not installed, but I just updated it now to 2.4.4 and made sure it was installed.

Edit: Error is the same

Generating optimized autoload files

x packages you are using are looking for funding.

Use the `composer fund` command to find out more!

> symfony-cmd

sh: 1: symfony-cmd: not found

Script symfony-cmd handling the auto-scripts event returned with error code 127

Script @auto-scripts was called via post-install-cmd

oliveradria on Feb 8, 2024