Application Launcher

Date Published: September 29, 2023

Composer v2.2 has included a new security feature https://getcomposer.org/doc/06-config.md#allow-plugins. The problem is that, with the new version of composer we have to declare the allow-plugins config with a list of packages names that are allowed to run code.

As of Composer 2.2.0, the allow-plugins option adds a layer of security allowing you to restrict which Composer plugins are able to execute code during a Composer run.

As a result of this update, Composer commands that are impacted includes composer create-project and composer update.

This can break continuous integration and deployment workflows, such as Acquia Pipelines, so it is recommended that projects authorise core's required plugins (and projects using development dependencies should authorise development plugins).

You can see similar warnings in the pipelines logs -

drupal/core-composer-scaffold contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe. See https://getcomposer.org/allow-plugins
    You can run "composer config --no-plugins allow-plugins.drupal/core-composer-scaffold [truefalse]" to enable it (true) or keep it disabled and suppress this warning (false)

Resolution -

Add an "allow-plugins" sub-section in the "config" section of the appropriate composer.json templates. At a minimum you need to add in the following plugins. Depending on your Drupal configuration, you may need to add other plugins which are affected.

"config": {
    "sort-packages": true,
    "allow-plugins": {
        "composer/installers": true,
        "drupal/core-composer-scaffold": true,
        "drupal/core-project-message": true
    }
},

You can see these Drupal.org issues for more details -

https://www.drupal.org/project/drupal/issues/3255749
https://www.drupal.org/project/drupal/issues/3277025

Acquia Pipelines jobs fails with - "The "/tmp/artifact/docroot/core" directory does not exist."