Affected script: "install-scripts:post-install-cmd"
This script uses phive to install resources on the local machine. It includes the --force-accept-unsigned flag which allows to install unsigned packages. This can be dangerous as it can lead to the installation of unverified and potentially malicious packages. The --trust-gpg-keys could possibly allow malicious actors to intercept and modify data on the keys listed, leading to more security risks.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.