Affected script: "install-scripts:post-install-cmd"
The script is running the Phive installation command which is generally safe, however, it uses a combination of parameters that could pose a security risk. The --force-accept-unsigned parameter allows it to accept the installation of unsigned phar files, potentially leaving the system vulnerable to the execution of unverified or malicious code. The --trust-gpg-keys parameter allows it to trust unknown GPG keys, another potential risk which could allow an attacker to introduce manipulated packages.
sitepark/github-composer-release-test 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.