public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Add new FAQ, refs #5382

pull/5396/head
Jordi Boggiano 2016-05-31 20:57:31 +01:00
parent d1425ec008
commit 78fd5bd14f
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/faqs/how-to-install-untrusted-packages-safely.md Normal file
View File

@ -0,0 +1,9 @@
# How to I install untrusted packages safely? Is it safe to run Composer as superuser or root?
Composer has a plugin system, and plugins are enabled automatically when installed. This means that
they can theoretically be used as an attack vector, and you should not blindly trust any package you
install. For this reason, it is strongly advised to **avoid running Composer as super-user/root**.
In some cases, like in CI systems or such where you want to install dependencies blindly, the safest
way to do it is to run `composer install --no-plugins --no-scripts`. This basically disables plugins
and scripts from executing, so that only Composer's code will run.