A bug with virtual packages

[cebe]

Coming from here, I think this is the right place for this report:

Besides the issues it caused for users of the composer-asset-plugin, there are some bugs on the packagist platform itself:

1. Someone was able to create bower-asset/jquery package on packagist. Even though there is a
   virtual package with that name and this newly registered version does not show up in the interface,
   it has two versions listed in the package info json:
   https://packagist.org/p/bower-asset/jquery%242fab1ac0b638d1cc9c9b51a810c84229e91af63a84e7f1c44cf3829aeca1107d.json

"bower-asset/jquery": {

    "1.12.4": {
        "name": "bower-asset/jquery",
        "description": "Distribution repo for jQuery Core releases.",
        "keywords": [ ],
        "homepage": "",
        "version": "1.12.4",
        "version_normalized": "1.12.4.0",
        "license": [ ],
        "authors": [ ],
        "source": {
            "type": "git",
            "url": "https://github.com/bower-asset/jquery.git",
            "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/bower-asset/jquery/zipball/a76fe112f860279382d9f6336fe040fd8f8aa13d",
            "reference": "a76fe112f860279382d9f6336fe040fd8f8aa13d",
            "shasum": ""
        },
        "type": "library",
        "time": "2016-12-19T07:13:46+00:00",
        "uid": 1133121
    },
    "dev-master": {
        "name": "bower-asset/jquery",
        "description": "Distribution repo for jQuery Core releases.",
        "keywords": [ ],
        "homepage": "",
        "version": "dev-master",
        "version_normalized": "9999999-dev",
        "license": [
            "Jquery"
        ],
        "authors": [ ],
        "source": {
            "type": "git",
            "url": "https://github.com/bower-asset/jquery.git",
            "reference": "7f3fb476862a87eff31d55d29fcbf1d7f28a576f"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/bower-asset/jquery/zipball/7f3fb476862a87eff31d55d29fcbf1d7f28a576f",
            "reference": "7f3fb476862a87eff31d55d29fcbf1d7f28a576f",
            "shasum": ""
        },
        "type": "library",
        "time": "2016-12-19T07:15:56+00:00",
        "uid": 1133122
    }

},

2. it is unclear to me how that package exists on packagist as the namespace is still free. There should be vendor name protection but I was just able to register https://packagist.org/packages/bower-asset/namespace-placeholder-xyz without failure.

[cebe]

Same thing happens also with the package bower-asset/punycode.

[cebe]

A workaround for affected users is to avoid the package versions currently provided by packagist: fxpio/composer-asset-plugin#268 (comment)

[cebe]

I just have registered:

• https://packagist.org/packages/bower-asset/namespace-placeholder-xyz
• https://packagist.org/packages/npm-asset/namespace-placeholder-xyz

to reserve the vendor namespaces on packagist.
These should be the only packages existing in these two namespaces and everything else should be removed that may exist somewhere/somehow hidden.

[Seldaek]

OK I'll make sure to cleanup the files for those bower-asset/punycode & jquery packages. I guess now that you block the vendor name it's safe and won't happen again.

[francoispluchino]

@Seldaek Thanks!