Merge branch '2.4'

composer.lock

@@ -1959,16 +1959,16 @@
     "packages-dev": [
         {
             "name": "phpstan/phpstan",
-            "version": "1.8.8",
+            "version": "1.8.9",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpstan.git",
-                "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07"
+                "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/08310ce271984587e2a4cda94e1ac66510a6ea07",
-                "reference": "08310ce271984587e2a4cda94e1ac66510a6ea07",
+                "url": "https://api.github.com/repos/phpstan/phpstan/zipball/3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2",
+                "reference": "3a72d9d9f2528fbd50c2d8fcf155fd9f74ade3f2",
                 "shasum": ""
             },
             "require": {
@@ -1998,7 +1998,7 @@
             ],
             "support": {
                 "issues": "https://github.com/phpstan/phpstan/issues",
-                "source": "https://github.com/phpstan/phpstan/tree/1.8.8"
+                "source": "https://github.com/phpstan/phpstan/tree/1.8.9"
             },
             "funding": [
                 {
@@ -2014,7 +2014,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-10-06T12:51:57+00:00"
+            "time": "2022-10-13T13:40:18+00:00"
         },
         {
             "name": "phpstan/phpstan-deprecation-rules",

doc/faqs/how-to-install-untrusted-packages-safely.md

@@ -1,5 +1,21 @@
 # How do I install untrusted packages safely? Is it safe to run Composer as superuser or root?
 
+## Why am I seeing a "Do not run Composer as root/super user" warning/error?
+
+It was always discouraged to run Composer as root for the reasons detailed below.
+
+As of Composer 2.4.2, plugins are disabled automatically when running as root and
+there is no sign that the user is consciously doing this. There are two ways this user consent
+can be given:
+
+- If you run interactively, Composer will prompt if you are sure that you want to continue
+  running as root. If non-interactive plugins will be disabled, unless..
+- If you set the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment
+  variable to `1`, this also indicates that you intended to run Composer as root and are accepting
+  the risks of doing so.
+
+## Is it safe to run Composer as superuser or root?
+
 Certain Composer commands, including `exec`, `install`, and `update` allow third party code to
 execute on your system. This is from its "plugins" and "scripts" features. Plugins and scripts have
 full access to the user account which runs Composer. For this reason, it is strongly advised to
@@ -21,5 +37,5 @@ to install untrusted dependencies you should sandbox them completely in a contai
 
 Also note that the `exec` command will always run third party code as the user which runs `composer`.
 
-See [Environment variable - COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser)
-for more info on how to disable warning
+See the [COMPOSER_ALLOW_SUPERUSER](../03-cli.md#composer-allow-superuser) environment variable for
+more info on how to disable the warnings.

src/Composer/Command/RequireCommand.php

@@ -14,6 +14,7 @@ namespace Composer\Command;
 
 use Composer\DependencyResolver\Request;
 use Composer\Package\CompletePackageInterface;
+use Composer\Package\Loader\RootPackageLoader;
 use Composer\Util\Filesystem;
 use Composer\Util\PackageSorter;
 use Seld\Signal\SignalHandler;
@@ -410,6 +411,15 @@ EOT
             }
             $rootPackage->setRequires($links['require']);
             $rootPackage->setDevRequires($links['require-dev']);
+
+            // extract stability flags & references as they weren't present when loading the unmodified composer.json
+            $references = $rootPackage->getReferences();
+            $references = RootPackageLoader::extractReferences($requirements, $references);
+            $rootPackage->setReferences($references);
+            $stabilityFlags = $rootPackage->getStabilityFlags();
+            $stabilityFlags = RootPackageLoader::extractStabilityFlags($requirements, $rootPackage->getMinimumStability(), $stabilityFlags);
+            $rootPackage->setStabilityFlags($stabilityFlags);
+            unset($stabilityFlags, $references);
         }
 
         $updateDevMode = !$input->getOption('update-no-dev');

src/Composer/Console/Application.php

@@ -288,6 +288,7 @@ class Application extends BaseApplication
         }
 
         if ($isNonAllowedRoot && !$io->isInteractive()) {
+            $io->writeError('<error>Composer plugins have been disabled for safety in this non-interactive session. Set COMPOSER_ALLOW_SUPERUSER=1 if you want to allow plugins to run as root/super user.</error>');
             $this->disablePluginsByDefault = true;
         }
 

src/Composer/Json/JsonFile.php

@@ -93,6 +93,9 @@ class JsonFile
             if ($this->httpDownloader) {
                 $json = $this->httpDownloader->get($this->path)->getBody();
             } else {
+                if (!is_readable($this->path)) {
+                    throw new \RuntimeException('The file "'.$this->path.'" is not readable.');
+                }
                 if ($this->io && $this->io->isDebug()) {
                     $realpathInfo = '';
                     $realpath = realpath($this->path);
@@ -190,6 +193,9 @@ class JsonFile
      */
     public function validateSchema(int $schema = self::STRICT_SCHEMA, ?string $schemaFile = null): bool
     {
+        if (!is_readable($this->path)) {
+            throw new \RuntimeException('The file "'.$this->path.'" is not readable.');
+        }
         $content = file_get_contents($this->path);
         $data = json_decode($content);