composer: Plugins fail on non-interactive composer create-project

Workaround and solution:

The root cause here is that the project’s composer.json does not contain the required allow-plugins configuration to match the plugins it requires.

The trick to workaround this is to use --no-install with create-project so that the project dependencies (and the plugins) do not get installed yet. That then lets you run the composer config command to configure allow-plugins, and finally you can run composer install to complete the install of dependencies.

This could look something like this:

$ composer create-project --no-install foo/bar-project directory
$ cd directory
$ composer config allow-plugins.acme/plugin true
$ composer config allow-plugins.vendor/* true
$ composer install

Original issue below

I can no longer install Magento with composer create-project --no-interaction. I see this is caused by the July 2022 change.

The command I run to install it is:

composer create-project --no-interaction --prefer-dist --no-dev --repository=https://repo.magento.com/ magento/project-community-edition /var/www 2.4.3-p2

Leads to:

#14 59.75 In PluginManager.php line 762:
#14 59.75                                                                                
#14 59.75   laminas/laminas-dependency-plugin contains a Composer plugin which is block  
#14 59.75   ed by your allow-plugins config. You may add it to the list if you consider  
#14 59.75    it safe.                                                                    
#14 59.75   You can run "composer config --no-plugins allow-plugins.laminas/laminas-dep  
#14 59.75   endency-plugin [true|false]" to enable it (true) or disable it explicitly a  
#14 59.75   nd suppress this exception (false)                                           
#14 59.75   See https://getcomposer.org/allow-plugins

How can I use this command in a Docker build?

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 6
Comments: 28 (7 by maintainers)

Commits related to this issue

Add workaround for https://github.com/composer/composer/issues/10928 — committed to outeredge/edge-docker-magento by davidwindell 2 years ago
Fix allow-plugins check to not check plugins which are anyway incompatible with the current Composer version, refs #10928 — committed to composer/composer by Seldaek 2 years ago
Changed installation workflow starting with Composer 2.3.7 https://github.com/composer/composer/issues/10928#issuecomment-1181534484 — committed to cmuench/n98-magerun2 by cmuench 2 years ago
Add hint in create-project when it fails due to a missing allow-plugins in project, refs #10928 — committed to composer/composer by Seldaek 2 years ago
Remove hack for https://github.com/composer/composer/issues/10928 (seems to work ok now without workaround) — committed to outeredge/edge-docker-magento by davidwindell a year ago

Most upvoted comments

This composer shit fucks up. Why do they have to change something nobody asked for.

MaxChri on Jul 10, 2022

Added a hint in https://github.com/composer/composer/commit/336a0d20c6cd2004b2374f88c30cd15bece7d0ba to suggest the workaround, and added the workaround to the OP here as well to help anyone googling to hopefully find the solution quickly.

Closing this issue now as I don’t see what else we can do. If someone still has unexpected behavior please report a new issue.

BTW 2.3.10 is now released with all the above fixes.

Seldaek on Jul 13, 2022

Surely create-project implies you are happy to accept any plugins from the project you are creating from?

Yes and no. If the project does not ship with a lock file you are doing a composer update and getting latest dependencies. If something got compromised in the meantime and a plugin was added that shouldn’t be there then suddenly you are executing code during composer install that wasn’t expected.

If the project is shipping a lock file, and the lock file is older than Composer 2.2.0 then as of the last releases we allow plugins to run for BC. If the lock file is newer, the project really should have been paying attention to warnings and added the appropriate allow-plugins config.

It’s unfortunate that Magento (as usual I’d say…) lagged behind, they somehow insist on using outdated Composer versions and thus tend to cause pain for their users. I don’t think we should compromise the whole ecosystem’s safety because some project refuses to take dependency management seriously.

Seldaek on Jul 12, 2022

For people having issues with hirak/prestissimo, I would recommend you remove it (composer global remove hirak/prestissimo --no-plugins probably does the trick) as it is completely useless and does not do anything if you are running Composer 2.x.

That said, it is a regression that it fails on this plugin as it should simply be skipped on Composer 2. I have fixed that now in https://github.com/composer/composer/commit/8323e85bc844466fc71a85782bbd0f6141aa2750

Seldaek on Jul 12, 2022

For the people having trouble with setting up Magento using composer create-project (with versions lower than Magento 2.4.4), the following seems to work without problems with Composer version 2.3.9:

$ composer create-project --no-install --repository-url=https://repo.magento.com/ magento/project-community-edition=2.4.3-p2 .
$ composer config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
$ composer config allow-plugins.laminas/laminas-dependency-plugin true
$ composer config allow-plugins.magento/* true
$ composer install

The trick lies in the --no-install flag, like @stof mentioned before.

I don’t have anything against this new behavior of composer, since it was announced at least half a year before it changed.

hostep on Jul 12, 2022

This is caused by the July 2022 enforced plugin changes (regardless of version).

On Thu, 7 Jul 2022, 19:27 birdman002, @.***> wrote:

I dont know if this is helpful or not but I had a vanilla project with composer/composer 2.2.13 that I could accomplish my cloud docker generation it wouldn’t error out but couldn’t accomplish this on my current code base I would get that error. Looking at it my current code base composer/compose was set to 2.2.16. After updating the composer/composer to 2.2.16 on my vanilla project this same issue fails on this

— Reply to this email directly, view it on GitHub https://github.com/composer/composer/issues/10928#issuecomment-1178043686, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAND6GRXQCNGI4TPF6PHFODVS4OSZANCNFSM522ZLOFA . You are receiving this because you were mentioned.Message ID: @.***>

davidwindell on Jul 7, 2022

3.0 rather than 2.4, as a BC break, and that’s whats made it different from the documentation.

andytson-inviqa on Jul 11, 2022

We’re having quite a similar issue with command

composer create-project magento/magento-coding-standard magento-coding-standard 16.*

on Composer 2.3.7 - worked fine ✅

After updating to 2.3.9 - it started to fail: ❌

Looks like adding --no-plugins flag does the trick, but I can expect such breaking changes in minor version, not in the patch release.

Looks like the changes were caused by https://github.com/composer/composer/pull/10920. I would prefer to revert these changes in the 2.3.x line and add to 2.4, or even in 3.0.

ihor-sviziev on Jul 11, 2022

Having the same issue adding it to the root composer.json file in the allowed plugins keeps erroring on the same thing. Devdocs say add magento/* but the module its complaining about is a magento module. Even adding that package to the composer.json it still complains. What is your workaround @Wotuu ? Thanks!

birdman002 on Jul 7, 2022

For a plugin installed globally, you must configure it as allowed or no in the global composer config, not in the local config.

stof on Jul 7, 2022

@davidwindell if the magento skeleton includes some plugins by default, it should probably configure them as allowed or no in the skeleton, to simplify the experience of new users (see https://github.com/symfony/skeleton/pull/201 for the example about the Symfony skeleton).

Otherwise, it forces to create the project with --no-install, then configure plugins as allowed or no and then run composer install

stof on Jul 7, 2022

After the new composer version is released, I have the same problem with each of our Sylius plugins in github actions:

Error: symfony/flex contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe.
You can run "composer config --no-plugins allow-plugins.symfony/flex [true|false]" to enable it (true) or disable it explicitly and suppress this exception (false)
See https://getcomposer.org/allow-plugins
In PluginManager.php line 762:
  symfony/flex contains a Composer plugin which is blocked by your allow-plug  
  ins config. You may add it to the list if you consider it safe.              
  You can run "composer config --no-plugins allow-plugins.symfony/flex [true|  
  false]" to enable it (true) or disable it explicitly and suppress this exce  
  ption (false)                                                                
  See https://getcomposer.org/allow-plugins

Adding allow-plugins in composer.json like that does not solve the problem:

"allow-plugins": {
            "symfony/flex": true,
        }

liszkapawel on Jul 7, 2022