Affected script: "install-scripts:post-install-cmd"
This command is forcing Phive to install a package without checking the authenticity of the package's signature. Additionally, it includes a flag to automatically trust certain GPG keys. Although these keys are provided in the command, if not properly vetted by the user, it can lead to a security breach, as it could potentially download and install malicious software from untrusted source. It's particularly dangerous because tampering with the software's signature verification system makes it easier for an attacker to serve malicious software as though it were a valid package.
sitepark/github-composer-release-test 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.