Affected script: "install-scripts:post-install-cmd"
The script is installing a package using 'phive', with the 'force-accept-unsigned' argument. This indicates that it will install the package even if it's not digitally signed. This is a potential risk as it allows for the execution of unverified, potentially malicious scripts. The 'trust-gpg-keys' argument also shows that it's explicitly trusting certain GPG keys. If these keys are not trustworthy, this could also pose a security risk.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.