Affected script: "install-scripts:post-install-cmd"
The script is installing a PHP package using Phive with the
--force-accept-unsigned option. This is perilous as it can potentially accept and install malicious packages without a verified signature. Also, it is implicitly trusting a list of GPG keys, without clearly demonstrating where these keys are from and if they are trustworthy. This potentially enables the execution of harmful code or the exposure of delicate information.
sitepark/github-composer-release-test 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.