Plugins fail on non-interactive composer create-project

[davidwindell]

Workaround and solution:

The root cause here is that the project's composer.json does not contain the required allow-plugins configuration to match the plugins it requires.

The trick to workaround this is to use --no-install with create-project so that the project dependencies (and the plugins) do not get installed yet. That then lets you run the composer config command to configure allow-plugins, and finally you can run composer install to complete the install of dependencies.

This could look something like this:

$ composer create-project --no-install foo/bar-project directory
$ cd directory
$ composer config allow-plugins.acme/plugin true
$ composer config allow-plugins.vendor/* true
$ composer install

Original issue below

---

I can no longer install Magento with composer create-project --no-interaction. I see this is caused by the July 2022 change.

The command I run to install it is:

composer create-project --no-interaction --prefer-dist --no-dev --repository=https://repo.magento.com/ magento/project-community-edition /var/www 2.4.3-p2

Leads to:

#14 59.75 In PluginManager.php line 762:
#14 59.75                                                                                
#14 59.75   laminas/laminas-dependency-plugin contains a Composer plugin which is block  
#14 59.75   ed by your allow-plugins config. You may add it to the list if you consider  
#14 59.75    it safe.                                                                    
#14 59.75   You can run "composer config --no-plugins allow-plugins.laminas/laminas-dep  
#14 59.75   endency-plugin [true|false]" to enable it (true) or disable it explicitly a  
#14 59.75   nd suppress this exception (false)                                           
#14 59.75   See https://getcomposer.org/allow-plugins 

How can I use this command in a Docker build?

[liszkapawel]

After the new composer version is released, I have the same problem with each of our Sylius plugins in github actions:

Error: symfony/flex contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe.
You can run "composer config --no-plugins allow-plugins.symfony/flex [true|false]" to enable it (true) or disable it explicitly and suppress this exception (false)
See https://getcomposer.org/allow-plugins
In PluginManager.php line 762:
  symfony/flex contains a Composer plugin which is blocked by your allow-plug  
  ins config. You may add it to the list if you consider it safe.              
  You can run "composer config --no-plugins allow-plugins.symfony/flex [true|  
  false]" to enable it (true) or disable it explicitly and suppress this exce  
  ption (false)                                                                
  See https://getcomposer.org/allow-plugins

Adding allow-plugins in composer.json like that does not solve the problem:

"allow-plugins": {
            "symfony/flex": true,
        }

[stof]

@davidwindell if the magento skeleton includes some plugins by default, it should probably configure them as allowed or no in the skeleton, to simplify the experience of new users (see symfony/skeleton#201 for the example about the Symfony skeleton).

Otherwise, it forces to create the project with --no-install, then configure plugins as allowed or no and then run composer install

[davidwindell]

I guess we've no way to address this then as I can't see us being able to influence Magento's skeleton right now.

The best workaround I could come up with for now was to create a temporary composer.json and use composer require instead like this outeredge/edge-docker-magento@e73840e, but it would be so much better if we could go back to the old way and have the option to say --allow-all-plugins or something like that when using composer create-project

[hostep]

The Magento skeleton file got already updated by magento/magento2#34873
But they decided to only include these changes in Magento 2.4.4. So unfortunately not for versions 2.3.7-p3 or 2.4.3-p2 which are also still currently supported versions that were released a long time after composer 2.2.x was released.

But @stof's workaround is probably going to work:

Otherwise, it forces to create the project with --no-install, then configure plugins as allowed or no and then run composer install

[Wotuu]

We're getting the same issue

hirak/prestissimo (installed globally) contains a Composer plugin which is   
blocked by your allow-plugins config. You may add it to the list if you con  
sider it safe.                                                               
You can run "composer global config --no-plugins allow-plugins.hirak/presti  
ssimo [true|false]" to enable it (true) or disable it explicitly and suppre  
ss this exception (false)                                                    
See https://getcomposer.org/allow-plugins       

Adding hirak/prestissimo to the allow-plugins list as follows does not solve the issue:

    "config": {
        "allow-plugins": {
            "hirak/prestissimo": true
        }
    }

Composer version 2.3.7 was working fine - 2.3.9 (maybe 8 too don't know) broke this behavior.

[stof]

For a plugin installed globally, you must configure it as allowed or no in the global composer config, not in the local config.

[Wotuu]

Hi stof, we tried reverting back to 2.3.7 but had troubles doing that - running the command composer global config --no-plugins allow-plugins.hirak/prestissimo true as stated in the error message does resolve the issue. I'm sure changing the global config would've also worked but we stopped troubleshooting as we found this workaround. Will circle back to this later to see what we can structurally do about it. Thanks again.

[birdman002]

Having the same issue adding it to the root composer.json file in the allowed plugins keeps erroring on the same thing. Devdocs say add magento/* but the module its complaining about is a magento module. Even adding that package to the composer.json it still complains. What is your workaround @Wotuu ? Thanks!

[davidwindell]

Yeah, I found the same, no matter what global config allows I set it still wouldn't install non-interactively.

[birdman002]

I dont know if this is helpful or not but I had a vanilla project with composer/composer 2.2.13 that I could accomplish my cloud docker generation it wouldn't error out but couldn't accomplish this on my current code base I would get that error. Looking at it my current code base composer/compose was set to 2.2.16. After updating the composer/composer to 2.2.16 on my vanilla project this same issue fails on this

[davidwindell]

This is caused by the July 2022 enforced plugin changes (regardless of version).

…

On Thu, 7 Jul 2022, 19:27 birdman002, ***@***.***> wrote: I dont know if this is helpful or not but I had a vanilla project with composer/composer 2.2.13 that I could accomplish my cloud docker generation it wouldn't error out but couldn't accomplish this on my current code base I would get that error. Looking at it my current code base composer/compose was set to 2.2.16. After updating the composer/composer to 2.2.16 on my vanilla project this same issue fails on this — Reply to this email directly, view it on GitHub <#10928 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAND6GRXQCNGI4TPF6PHFODVS4OSZANCNFSM522ZLOFA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[kayacekovic]

you can add composer global config --no-plugins allow-plugins.hirak/prestissimo false to top of ci/cd or deploy file. its worked for me.

via https://github.com/ahmetkorkmaz3

[MPa1977]

I can no longer install Magento with composer create-project --no-interaction. I see this is caused by the July 2022 change.

The command I run to install it is:

composer create-project --no-interaction --prefer-dist --no-dev --repository=https://repo.magento.com/ magento/project-community-edition /var/www 2.4.3-p2

Leads to:

#14 59.75 In PluginManager.php line 762:
#14 59.75                                                                                
#14 59.75   laminas/laminas-dependency-plugin contains a Composer plugin which is block  
#14 59.75   ed by your allow-plugins config. You may add it to the list if you consider  
#14 59.75    it safe.                                                                    
#14 59.75   You can run "composer config --no-plugins allow-plugins.laminas/laminas-dep  
#14 59.75   endency-plugin [true|false]" to enable it (true) or disable it explicitly a  
#14 59.75   nd suppress this exception (false)                                           
#14 59.75   See https://getcomposer.org/allow-plugins 

How can I use this command in a Docker build?

This is what worked for my docker build

RUN set -eux; \ composer global config --no-plugins allow-plugins.symfony/flex true; \ composer global require "symfony/flex" --prefer-dist --no-progress --no-suggest --classmap-authoritative; \ composer clear-cache

[cmuench]

We have the same issue in the n98-magerun2 build pipeline. Seems that our install command is now broken. In the background we run composer create-project.

[MaxChri]

This composer shit fucks up. Why do they have to change something nobody asked for.

[andytson-inviqa]

the documentation on https://getcomposer.org/doc/06-config.md#allow-plugins conflicts with actual behaviour. The documentation says it will warn on seeing a new plugin, instead it fatally errors

When a new plugin is first activated, which is not yet listed in the config option, Composer will print a warning.

[ihor-sviziev]

We're having quite a similar issue with command

composer create-project magento/magento-coding-standard magento-coding-standard 16.*

on Composer 2.3.7 - worked fine ✅

After updating to 2.3.9 - it started to fail: ❌

Looks like adding --no-plugins flag does the trick, but I can expect such breaking changes in minor version, not in the patch release.

Looks like the changes were caused by #10920. I would prefer to revert these changes in the 2.3.x line and add to 2.4, or even in 3.0.

[andytson-inviqa]

3.0 rather than 2.4, as a BC break, and that's whats made it different from the documentation.

[cmuench]

We're having quite a similar issue with command

composer create-project magento/magento-coding-standard magento-coding-standard 16.*

on Composer 2.3.7 - worked fine white_check_mark

After updating to 2.3.9 - it started to fail: x

Looks like adding --no-plugins flag does the trick, but I can expect such breaking changes in minor version, not in the patch release.

Looks like the changes were caused by #10920. I would prefer to revert these changes in the 2.3.x line and add to 2.4, or even in 3.0.

With --no-plugins I get no error during Composer installation. Then the error is postponed. The Composer installer plugin of Magento does then not copy the base package files to the right place.
Still no solution available :-(

[ihor-sviziev]

Hi @Seldaek,
What do you think about reverting backward incompatible change in 2.3.x release line and add it to 2.4.0 or 3.0? Does it make sense?

[hostep]

For the people having trouble with setting up Magento using composer create-project (with versions lower than Magento 2.4.4), the following seems to work without problems with Composer version 2.3.9:

$ composer create-project --no-install --repository-url=https://repo.magento.com/ magento/project-community-edition=2.4.3-p2 .
$ composer config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
$ composer config allow-plugins.laminas/laminas-dependency-plugin true
$ composer config allow-plugins.magento/* true
$ composer install

The trick lies in the --no-install flag, like @stof mentioned before.

I don't have anything against this new behavior of composer, since it was announced at least half a year before it changed.

[cmuench]

For the people having trouble with setting up Magento using composer create-project (with versions lower than Magento 2.4.4), the following seems to work without problems with Composer version 2.3.9:

$ composer create-project --no-install --repository-url=https://repo.magento.com/ magento/project-community-edition=2.4.3-p2 .
$ composer config allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
$ composer config allow-plugins.laminas/laminas-dependency-plugin true
$ composer config allow-plugins.magento/* true
$ composer install

The trick lies in the --no-install flag, like @stof mentioned before.

I don't have anything against this new behavior of composer, since it was announced at least half a year before it changed.

I was aware of this but this requires some rewrites in n98-magerun2 install command. Nevertheless, it seems that this is now the new default behavior which makes the world a bit more complex if we need to install a older version.

[davidwindell]

Surely create-project implies you are happy to accept any plugins from the project you are creating from?

[Seldaek]

Surely create-project implies you are happy to accept any plugins from the project you are creating from?

Yes and no. If the project does not ship with a lock file you are doing a composer update and getting latest dependencies. If something got compromised in the meantime and a plugin was added that shouldn't be there then suddenly you are executing code during composer install that wasn't expected.

If the project is shipping a lock file, and the lock file is older than Composer 2.2.0 then as of the last releases we allow plugins to run for BC. If the lock file is newer, the project really should have been paying attention to warnings and added the appropriate allow-plugins config.

It's unfortunate that Magento (as usual I'd say..) lagged behind, they somehow insist on using outdated Composer versions and thus tend to cause pain for their users. I don't think we should compromise the whole ecosystem's safety because some project refuses to take dependency management seriously.

[stof]

Also, they could include their list of allowed plugins in their project skeleton to fix that for their user for the plugins intended to be included by default. That's what other projects have done. And Magento even did that for their upcoming version. But they haven't applied it to the skeletons for their stable versions (see the comment above at #10928 (comment)).

[Seldaek]

For people having issues with hirak/prestissimo, I would recommend you remove it (composer global remove hirak/prestissimo --no-plugins probably does the trick) as it is completely useless and does not do anything if you are running Composer 2.x.

That said, it is a regression that it fails on this plugin as it should simply be skipped on Composer 2. I have fixed that now in 8323e85

[Seldaek]

Some of the create-project issues which happened only when running composer in an existing project's dir are resolved by 75ef490 - please try with composer self-update --snapshot see if that improves things.

The issue where the project created requires plugins itself and does not declare allow-plugins however is not fixed as per my comment above.

I'll try to get a release out tomorrow with this and a few more fixes.

[Seldaek]

Added a hint in 336a0d2 to suggest the workaround, and added the workaround to the OP here as well to help anyone googling to hopefully find the solution quickly.

Closing this issue now as I don't see what else we can do. If someone still has unexpected behavior please report a new issue.

BTW 2.3.10 is now released with all the above fixes.