⚠️ This package seems to have moderate severity install script vulnerabilities

Affected script: "install-scripts:post-install-cmd"

The script is using Phive to install a composer package but it's applying a few risky flags. The --force-accept-unsigned option automatically accepts downloading and installing packages that don't have a signed phar, which opens the door to potential malicious packages. The --trust-gpg-keys flag adds additional GPG keys to the trusted list. If these keys are compromised, it allows the installation of malicious packages. Therefore, this script has potential security risks if the keys or packages are not thoroughly verified.

Generated on May 5, 2024 via composer

Repo

Composer

Home

sitepark/github-composer-release-test 1.8.0

Test project to test the release process with Github Actions

Package summary

issue

license

Package created

23 Oct 2023

Version published

20 Oct 2023

Maintainers

Total deps

Direct deps

License

MIT

Issues

1 high severity issue

high

sitepark/github-composer-release-test@1.8.0

Package uses post-install-cmd script: "phive --no-progress install --force-accept-unsigned --trust-gpg-keys C00543248C87FB13,4AA394086372C20A,CF1A108D0E7AE720,51C67305FFC2E5C0"

via: sitepark/github-composer-release-test@1.8.0

Collapse

Expand

Licenses

MIT License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

Cannot

hold-liable

Must

include-copyright

include-license

1 Packages, Including:

sitepark/github-composer-release-test@1.8.0

Direct Dependencies

All Dependencies CSV

ⓘ This is a list of sitepark/github-composer-release-test 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.