1
0
Fork 0

More specific language and clearer warning

pull/5398/head
William Entriken 2016-06-01 16:25:50 -04:00
parent b81210d9f8
commit 618026fd3e
1 changed files with 16 additions and 6 deletions

View File

@ -1,9 +1,19 @@
# How to I install untrusted packages safely? Is it safe to run Composer as superuser or root?
Composer has a plugin system, and plugins are enabled automatically when installed. This means that
they can theoretically be used as an attack vector, and you should not blindly trust any package you
install. For this reason, it is strongly advised to **avoid running Composer as super-user/root**.
Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
full access to the user account which runs Composer. For this reason, it is strongly advised to
**avoid running Composer as super-user/root**.
In some cases, like in CI systems or such where you want to install dependencies blindly, the safest
way to do it is to run `composer install --no-plugins --no-scripts`. This basically disables plugins
and scripts from executing, so that only Composer's code will run.
You can disable plugins and scripts during package installation or updates with the following
syntax so only Composer's code, and no third party code, will execute:
```sh
composer install --no-plugins --no-scripts ...
composer update --no-plugins --no-scripts ...
```
The `exec` command will always run third party code as the user which runs `composer`.
In some cases, like in CI systems or such where you want to install untrusted dependencies, the
safest way to do it is to run the above command.