magento2: Dependency version audit plugin doesn't respect locked versions (magento/composer-dependency-version-audit-plugin)

Preconditions (*)

  1. PHP 7.4
  2. Magento 2.4.3-p1
  3. composer v1
  4. magento/composer-dependency-version-audit-plugin 0.1.1
  5. Some dependency available in both private and public package repositories (e.g. shipperhq/module-shipper), where public repo version is higher than private repo version (e.g. 20.45.6 vs. 20.45.5)

Steps to reproduce (*)

  1. Lock module in question to a specific version in composer.json (e.g. "shipperhq/module-shipper": "20.45.5") as suggested on https://support.magento.com/hc/en-us/articles/4410675867917-Composer-plugin-against-Dependency-Confusion-attacks

Recommendations to merchants

  • Take the error message shown when the plugin stops the composer install/update seriously, and contact the extension developer if you recognize the potentially compromised package.
  • You can still install Adobe Commerce with the safe version of the package from the Marketplace or another trusted private repository.
  • Change the required package version in your composer.json to the exact version found in the Marketplace in order to proceed with the composer install/update.
  1. Run composer install (if you don’t have any lock file yet) or composer update

Expected result (*)

  1. Install succeeds

Actual result (*)

  1. The exception is thrown although the module is set to specific version 20.45.5 in composer.json
  2. image

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 18 (11 by maintainers)

Most upvoted comments

Dear @Green2Matter,

We have noticed that this issue has not been updated for a period of 14 Days. Hence we assume that this issue is fixed now, so we are closing it. Please raise a fresh ticket or reopen this ticket if you need more assistance on this.

Regards

+7
engcom-Hotel on Dec 24, 2021

What will happen if a vendor decides not to provide updates to magento marketplace and instead use packagist for future releases? That package will be completely blocked and the name will be held as a hostage by this plugin. That vendor will have to change package name so it won’t be found in repo.magento.com

+2
hatimeria-artur-jewula on May 24, 2022

@engcom-Hotel do you have shipperhq module purchased for the account you are using to connect to repo.magento.com? Because if you don’t then you will not see the problem. Today I got the same error with mailchimp/mc-magento2 module. repo.magento.com has version 103.4.44 and packagist 103.4.45. Even though I have it locked on 103.4.44 and lock file fetches the module from repo.magento. com and not packagist I still have the error that prevents building an environment

+1
hatimeria-artur-jewula on May 24, 2022
Read more comments on GitHub
← magento2: Declarative schema bug : default value cannot be negative on signed int
magento2: Depending from multiselect in backend is broken →