Adobe Releases New Composer Plugin with Magento 2.4.3 Release

June 14, 2021

By: James Fong, Marketplace , Adobe

blog header image

To minimize a security vulnerability known as dependency confusion, the Adobe Commerce 2.4.3 release package will include a new composer plugin to perform integrity checks during installation.

Adobe and extension developers frequently use private and public composer package repositories to deliver code to Adobe Commerce and Magento Open Source merchants. While Composer allows for a convenient experience, it can introduce certain limitations and occasional risks.

Adobe audits the private composer package repository at repo.magento.com, including performing a malware scan and package upload validation. However, it is possible for a malicious user to claim an unused namespace on the public package repository at packagist.org and upload a malicious code package. This code can then be delivered to merchants' Commerce instances using a method referred to as "dependency confusion." The plugin is currently available to both Adobe Commerce and Magento Open Source merchants on the Magento GitHub.

The plugin performs two checks and throws an exception when: 

  • Private repos cannot be reached. The plugin sends a request for the repo that is being referenced to see if it can be reached.
  • A package is present in private repos and Packagist (public repository) simultaneously, AND the version of the package that satisfies the requirement from the public repo is higher.

Adobe will release the new composer plugin in Adobe Commerce 2.4.3 on August 10. The plugin will also be integrated in the Extension Quality Program checks. EQP checks run after the 2.4.3 release will require that no exception be generated by the composer plugin conditions to avoid EQP failure.

To prevent problems with updating your code on the Magento Marketplace and to avoid potential dependency confusion attacks using your code packages, we urge you to:

  • Use the composer plugin while testing your extensions' installation flows.
  • Verify that you own your namespace on Packagist.org.

Contact Marketplace support if you have any questions