Composer 2.2 Installer allow-plugins requirement

I tried to install the latest version of Neos CMS using Composer 2.2.3 and got these warnings

 - Installing neos/composer-plugin (2.1.3): Extracting archive
neos/composer-plugin contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "neos/composer-plugin" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
Class Neos\Flow\Composer\InstallerScripts is not autoloadable, can not call post-package-install script
  - Installing composer/package-versions-deprecated (1.11.99.4): Extracting archive
composer/package-versions-deprecated contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "composer/package-versions-deprecated" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
Class Neos\Flow\Composer\InstallerScripts is not autoloadable, can not call post-package-install script

The installation completed successfully but it seems these warnings are related to a new security feature of Composer 2.2. Please check.

1 Like

Hi @nspeaks

Please check what :slight_smile: ? It’s a feature of composer - and you can configure composer to allow plugins, without prompting. See Github issues → https://github.com/composer/composer/issues/10396

Wouldn’t it be better if it is added to the Neos distribution package which would eliminate the prompt altogether?

neos/composer-plugin

comes from Flow, the framework underneath - it’s a plugin used for determining where packages should be located and handling of installations

https://packagist.org/packages/neos/composer-plugin

It must be required as a package, to be activated to be able to handle package installations afterwards.

Yes, I think we should add those two packages to the distribution’s composer manifest