1
0
Fork 0

More specific language and clearer warning

pull/5398/head
William Entriken 2016-06-01 16:25:50 -04:00
parent b81210d9f8
commit 618026fd3e
1 changed files with 16 additions and 6 deletions

View File

@ -1,9 +1,19 @@
# How to I install untrusted packages safely? Is it safe to run Composer as superuser or root? # How to I install untrusted packages safely? Is it safe to run Composer as superuser or root?
Composer has a plugin system, and plugins are enabled automatically when installed. This means that Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
they can theoretically be used as an attack vector, and you should not blindly trust any package you execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
install. For this reason, it is strongly advised to **avoid running Composer as super-user/root**. full access to the user account which runs Composer. For this reason, it is strongly advised to
**avoid running Composer as super-user/root**.
In some cases, like in CI systems or such where you want to install dependencies blindly, the safest You can disable plugins and scripts during package installation or updates with the following
way to do it is to run `composer install --no-plugins --no-scripts`. This basically disables plugins syntax so only Composer's code, and no third party code, will execute:
and scripts from executing, so that only Composer's code will run.
```sh
composer install --no-plugins --no-scripts ...
composer update --no-plugins --no-scripts ...
```
The `exec` command will always run third party code as the user which runs `composer`.
In some cases, like in CI systems or such where you want to install untrusted dependencies, the
safest way to do it is to run the above command.