Affected script: "install-scripts:post-install-cmd"
The script uses the Phive tool to install a package. However, it is forced to accept unsigned packages with the --force-accept-unsigned option which bypasses the usual guarantee that the package came from a trusted source and hasn't been tampered with. This alone already opens potential for attacks like the man-in-the-middle. Moreover, specific GPG keys are being explicitly trusted with the --trust-gpg-keys option. While trusting GPG keys isn't inherently dangerous, it can be if the keys belong to malicious parties. Without knowing the owners of these keys, we can't just assume they're safe.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.