Adds allow-plugins section to composer.json file for compatibility with Composer 2.2.x

[hostep]

Description (*)

Composer 2.2 comes with a new security feature where you have to specify the plugins you trust in your composer.json file before they will be executed. At first the plugins will still get installed to ensure backwards compatibility, but according to the documentation around this new config option, this will change in July 2022 after which plugins will no longer be executed if they aren't specified in the composer.json file

Related Pull Requests

https://github.com/magento/partners-magento2ee/pull/675

Fixed Issues (if relevant)

1. Fixes Magento installation fails with composer 2.2.0 RC1 #34831

Manual testing scenarios (*)

1. Make sure you use composer 2.2.1 or higher
2. Run composer install
3. Expect no prompts à la: xxx contains a Composer plugin which is currently not in your allow-plugins config.

Questions or comments

The same changes should be made to the composer meta package that is used when you run composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition
Ideally before every new Magento release, all composer plugins being used should be found and added to the allow-plugins section and plugins that are no longer part of core Magento should be removed from that section.
@fascinosum

Would be great if this gets included in Magento 2.4.4 and 2.4.3-p2 and 2.3.7-p3 as it would be the only releases of Magento before July 2022

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @hostep. Thank you for your contribution
Here are some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE,
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here

ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Magento Contributor Guide documentation.

⚠️ According to the Magento Contribution requirements, all Pull Requests must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of Pull Requests happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[ihor-sviziev]

@magento run all tests

@sidolov, I added P1 priority to this issue as it improves security for the composer.

@xmav @fascinosum @andrewbess , can this PR be added to the platform health project to deliver it faster and include to Magento 2.4.4?

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[ihor-sviziev]

@magento run Database Compare, Functional Tests B2B

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[ihor-sviziev]

✔ Approved.

Failing tests look not related to changes from this PR.

[magento-engcom-team]

Hi @ihor-sviziev, thank you for the review.
ENGCOM-9378 has been created to process this Pull Request

[xmav]

@magento run Database Compare

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[xmav]

@andrewbess Could you please assist with PR to commerce ?

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[andrewbess]

Hello @hostep
Thank you for your contribution
Approved from my side ✔️
Also, I added required fixes for Magento2 EE

[andrewbess]

@andrewbess Could you please assist with PR to commerce ?

Hello @xmav

The needed PR has been created

[andrewbess]

@magento run all tests

[magento-engcom-team]

Hi @andrewbess, thank you for the review.
ENGCOM-9378 has been created to process this Pull Request

[hostep]

@andrewbess: just for sake of moving this PR fowards I've implemented your suggestion.

But some small remarks:

• the composer.json file from this github repo is not the same one that is generated by running the composer create-project command, so that file will need to be updated as well (but that's a job for the release team)
• like mentioned before, I would really hope that Magento cuts down the amount of composer plugins instead of adding even more of them, because some plugins that are currently included by default have really no use (at least to me) and cause strange bugs and are sometimes incompatible with certain (patch) versions of composer

[magento-engcom-team]

Hi @torhoehn, thank you for the review.
ENGCOM-9378 has been created to process this Pull Request

[andrewbess]

@magento run all tests

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[andrewbess]

Approved from my side
Pending delivery magento-commerce/magento2ce#7397

[magento-engcom-team]

Hi @andrewbess, thank you for the review.
ENGCOM-9378 has been created to process this Pull Request

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

@magento run Functional Tests B2B

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

@magento run Functional Tests B2B

[magento-automated-testing]

The requested builds are added to the queue. You should be able to see them here within a few minutes. Please re-request them if they don't show in a reasonable amount of time.

[engcom-Alfa]

Retested since there were updates as per above comments. Hence the result is below.

✔️ QA Passed

Preconditions:

1. Make sure you use composer 2.2.1 or higher

Manual testing scenario:

1. git clone Magento repository in your system

2. Run composer install command

Before: ✖️ Used to get a warning à la: xxx contains a Composer plugin which is currently not in your allow-plugins config as shown in below screenshot

After: ✔️ No warnings are noticed, installation takes place successfully.

Since it is relevant to installation and no impact functionally, no additional regression testing is required as such.

[fiko]

@magento give me 2.4-develop instance

[magento-deployment-service]

Hi @fiko. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service]

Hi @fiko, here is your Magento Instance: https://0a96fbbf16f974d89b6ef39a0e9c6d7d.instances.magento-community.engineering
Admin access: https://0a96fbbf16f974d89b6ef39a0e9c6d7d.instances.magento-community.engineering/admin_824d
Login: 7e469851
Password: 02d834dd5535

[myselfhimself]

Could you please backport this to Magento <2.4.4 releases, such as 2.4.3-p2?
Here is a related issue within the docker-magento project.