From 75ef4903ef70d1e95028d0391b1f5ca8f3a4e1e1 Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Tue, 12 Jul 2022 16:25:12 +0200
Subject: [PATCH 1/2] Ensure plugins from CWD/vendor do not get loaded when
 running create-project, fixes #10935

---
 src/Composer/Command/CreateProjectCommand.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Composer/Command/CreateProjectCommand.php b/src/Composer/Command/CreateProjectCommand.php
index a1eba060f..4bccc3dc4 100644
--- a/src/Composer/Command/CreateProjectCommand.php
+++ b/src/Composer/Command/CreateProjectCommand.php
@@ -403,7 +403,15 @@ EOT
             throw new \InvalidArgumentException('Invalid stability provided ('.$stability.'), must be one of: '.implode(', ', array_keys(BasePackage::$stabilities)));
         }
 
-        $composer = Factory::create($io, $config->all(), $disablePlugins);
+        $composerJson = array_merge(
+            // prevent version guessing from happening
+            array('version' => '1.0.0'),
+            $config->all(),
+            // ensure the vendor dir and its plugins does not get loaded if CWD/vendor has plugins in it
+            array('config' => array('vendor-dir' => Platform::getDevNull()))
+        );
+        $factory = new Factory;
+        $composer = $factory->createComposer($io, $composerJson, $disablePlugins, Platform::getDevNull(), true, $disableScripts);
         $config = $composer->getConfig();
         $rm = $composer->getRepositoryManager();
 

From 03cebc2490abb6b4907e53f09e3953344482aaa1 Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Tue, 12 Jul 2022 20:56:23 +0200
Subject: [PATCH 2/2] Clean up types with conditional return types

---
 src/Composer/Factory.php | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php
index 9a7da447d..9e397fed7 100644
--- a/src/Composer/Factory.php
+++ b/src/Composer/Factory.php
@@ -283,6 +283,7 @@ class Factory
      * @throws \InvalidArgumentException
      * @throws \UnexpectedValueException
      * @return Composer|PartialComposer Composer if $fullLoad is true, otherwise PartialComposer
+     * @phpstan-return ($fullLoad is true ? Composer : PartialComposer)
      */
     public function createComposer(IOInterface $io, $localConfig = null, bool $disablePlugins = false, ?string $cwd = null, bool $fullLoad = true, bool $disableScripts = false)
     {
@@ -450,10 +451,7 @@ class Factory
     {
         $factory = new static();
 
-        $composer = $factory->createGlobalComposer($io, static::createConfig($io), $disablePlugins, $disableScripts, true);
-        assert(null === $composer || $composer instanceof Composer);
-
-        return $composer;
+        return $factory->createGlobalComposer($io, static::createConfig($io), $disablePlugins, $disableScripts, true);
     }
 
     /**
@@ -474,6 +472,7 @@ class Factory
 
     /**
      * @return PartialComposer|Composer|null By default PartialComposer, but Composer if $fullLoad is set to true
+     * @phpstan-return ($fullLoad is true ? Composer|null : PartialComposer|null)
      */
     protected function createGlobalComposer(IOInterface $io, Config $config, bool $disablePlugins, bool $disableScripts, bool $fullLoad = false): ?PartialComposer
     {
@@ -615,10 +614,7 @@ class Factory
     {
         $factory = new static();
 
-        $composer = $factory->createComposer($io, $config, $disablePlugins, null, true, $disableScripts);
-        assert($composer instanceof Composer);
-
-        return $composer;
+        return $factory->createComposer($io, $config, $disablePlugins, null, true, $disableScripts);
     }
 
     /**