Split off from #3255749: Composer v2.2 prompts to authorize plugins

Problem/Motivation

I'm seeing the message

For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins
You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.

on all automated test branches of 9.3.x-dev, 9.4.x-dev and 10.0.x-dev near the Drupal\Tests\Composer\Plugin\Scaffold\Functional\ManageGitIgnoreTest test.

I hope the attached patch (which seems to apply on all mentioned branches) will prevent that message.

Steps to reproduce

Look at a full console output of any full test run on drupal CI environment mentioned above.

Proposed resolution

Add an "allow-plugins" sub-section in the "config" section of the appropriate composer.json templates.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Spokje created an issue. See original summary.

Spokje’s picture

Issue summary: View changes
Spokje’s picture

Status: Active » Needs review

@The Powers That Be: The test-only patch was created by @longwave in #3255749-2: Composer v2.2 prompts to authorize plugins, please add credits

Spokje’s picture

Spokje’s picture

Assigned: Spokje » Unassigned
Wim Leers’s picture

Status: Needs review » Reviewed & tested by the community

Test-only patch has this:

1) Drupal\Tests\Composer\Plugin\Scaffold\Functional\ManageGitIgnoreTest::testUnmanagedGitIgnoreWhenGitNotAvailable
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'Scaffolding files for fixtures/drupal-assets-fixture:\n
+'For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code. See https://getcomposer.org/allow-plugins\n
+You have until July 2022 to add the setting. Composer will then switch the default behavior to disallow all plugins.\n
+Scaffolding files for fixtures/drupal-assets-fixture:\n
   - Copy [web-root]/.csslintrc from assets/.csslintrc\n
   - Copy [web-root]/.editorconfig from assets/.editorconfig\n
   - Copy [web-root]/.eslintignore from assets/.eslintignore\n

The changes in the test logic are AFAICT only to get clean output, i.e. a cleaner string to compare against than HEAD gets.

The fix makes sense.

I don't see why we wouldn't go ahead with this?

The last submitted patch, 3: 3277025-3.patch, failed testing. View results

Spokje’s picture

random JS test failure, back to RTBC.

alexpott credited longwave.

alexpott’s picture

Version: 10.0.x-dev » 9.4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 8b44468ec3 to 10.0.x and 73d0a0c117 to 9.5.x and d1721377e6 to 9.4.x. Thanks!

Backported to 9.4.x since it is a test only fix. Nice to this oddity resolved.

Crediting @longwave as per #4

  • alexpott committed 8b44468 on 10.0.x
    Issue #3277025 by Spokje, longwave: For additional security you should...

  • alexpott committed 73d0a0c on 9.5.x
    Issue #3277025 by Spokje, longwave: For additional security you should...

  • alexpott committed d172137 on 9.4.x
    Issue #3277025 by Spokje, longwave: For additional security you should...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.