Affected script: "install-scripts:post-install-cmd"
The script invokes the Phive tool and instructs it to install a package without progress indication, to forcefully accept unsigned packages, and to trust specific GPG keys. This presents several security risks. Notably, forcing unsigned packages could allow an attacker to load malicious code into the package. Trusting specific GPG keys without verification can also establish trust where it is not warranted, promoting man-in-the-middle attacks. The given keys themselves could potentially belong to malicious parties, and the script does not provide any way to verify that they are associated with the expected parties.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.