Adobe Releases New Composer Plugin with Magento 2.4.3 Release

blog header image

To minimize a security vulnerability known as dependency confusion, the Adobe Commerce 2.4.3 release package will include a new composer plugin to perform integrity checks during installation.

Adobe and extension developers frequently use private and public composer package repositories to deliver code to Adobe Commerce and Magento Open Source merchants. While Composer allows for a convenient experience, it can introduce certain limitations and occasional risks.

Adobe audits the private composer package repository at repo.magento.com, including performing a malware scan and package upload validation. However, it is possible for a malicious user to claim an unused namespace on the public package repository at packagist.org and upload a malicious code package. This code can then be delivered to merchants' Commerce instances using a method referred to as "dependency confusion." The plugin is currently available to both Adobe Commerce and Magento Open Source merchants on the Magento GitHub.

The plugin performs two checks and throws an exception when:

Adobe will release the new composer plugin in Adobe Commerce 2.4.3 on August 10. The plugin will also be integrated in the Extension Quality Program checks. EQP checks run after the 2.4.3 release will require that no exception be generated by the composer plugin conditions to avoid EQP failure.

To prevent problems with updating your code on the Magento Marketplace and to avoid potential dependency confusion attacks using your code packages, we urge you to:

Contact Marketplace support if you have any questions