Affected script: "install-scripts:post-install-cmd"
The script is installing something using Phive without checking the progress. The flags --force-accept-unsigned and --trust-gpg-keys are used. This could potentially be a security risk. The --force-accept-unsigned flag makes Phive ignore the fact that a PHAR is not signed. This means the script could install a potentially untrusted or malicious PHAR. The --trust-gpg-keys flag means that Phive will trust these keys without checking them. This again could allow the installment of malicious code. Also, the provided GPG keys could be associated with compromised or false identity accounts, which again extends the security risks.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.