From 78fd5bd14fc6afc701f46923514920755a233d6a Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 31 May 2016 20:57:31 +0100 Subject: [PATCH] Add new FAQ, refs #5382 --- doc/faqs/how-to-install-untrusted-packages-safely.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 doc/faqs/how-to-install-untrusted-packages-safely.md diff --git a/doc/faqs/how-to-install-untrusted-packages-safely.md b/doc/faqs/how-to-install-untrusted-packages-safely.md new file mode 100644 index 000000000..48d52237c --- /dev/null +++ b/doc/faqs/how-to-install-untrusted-packages-safely.md @@ -0,0 +1,9 @@ +# How to I install untrusted packages safely? Is it safe to run Composer as superuser or root? + +Composer has a plugin system, and plugins are enabled automatically when installed. This means that +they can theoretically be used as an attack vector, and you should not blindly trust any package you +install. For this reason, it is strongly advised to **avoid running Composer as super-user/root**. + +In some cases, like in CI systems or such where you want to install dependencies blindly, the safest +way to do it is to run `composer install --no-plugins --no-scripts`. This basically disables plugins +and scripts from executing, so that only Composer's code will run.