Issues with Composer dependencies are very common to happen, some related to integrity, but security issues too. That's why Magento 2.4.3 applied a new verification routine via a new Composer plugin. It's going to perform integrity checks during the Composer installations.
Frequently we use private and public composer package repositories to deliver code to Adobe Commerce and Magento Open Source merchants. While Composer allows for a convenient experience, it can introduce certain limitations and occasional risks.
Adobe audits the private composer package repository at repo.magento.com, including performing a malware scan and package upload validation. However, it is possible for a malicious user to claim an unused namespace on the public package repository at packagist.org and upload a malicious code package. The plugin is currently available to both Adobe Commerce and Magento Open Source merchants on the Magento GitHub.
The plugin performs two checks and throws an exception when:
- If the private repositories cannot be reached. It tries to reach the package sending a request for the repo.
- A package is present in private repositories and Packagist (public repository) simultaneously. The version of the package that satisfies the requirement from the public repo is higher.
Adobe will release the new composer plugin in Adobe Commerce 2.4.3 on August 10. The plugin will also be integrated into the Extension Quality Program since release 2.4.3. To avoid EQP failure, no exception might be generated by the composer plugin conditions.
To prevent problems with updating your code on the Magento Marketplace, we recommend you to:
- Use the composer plugin while testing your extensions' installation flows.
- Verify that you own your namespace on Packagist.org.
Are you ready for the upgrade? Let's talk and create a plan of action!