Recently, Magento warned the extension developers that a possible vulnerability was detected during a recent Adobe audit of the composer package repository at repo.magento.com. A user who wants to cause harm can claim an unused namespace at packagist.org and upload some malware. It can be added to the merchant’s systems using the dependency confusion method.
The new plugin contains additional logic which:
- sends a request for the private repository referenced and shows an exception if it can’t be reached.
- verifies that the package is present both in private repositories and Packagist at the same time, and the package version from the public repository is higher while still satisfying the requirements.
This plugin will be released in August as part of Adobe Commerce 2.4.3. Also, it will become a part of the Extension Quality Program, so to avoid EQP failure, the developers should take the plugin into account. To do that, please ensure:
- that you are the owner of your namespace at packagist.org
- the new plugin is being used for extension installation tests.
The plugin is available on Magento GitHub.