Affected script: "install-scripts:post-install-cmd"
The script is using Phive to install a composer package but it's applying a few risky flags. The
--force-accept-unsigned option automatically accepts downloading and installing packages that don't have a signed phar, which opens the door to potential malicious packages. The
--trust-gpg-keys flag adds additional GPG keys to the trusted list. If these keys are compromised, it allows the installation of malicious packages. Therefore, this script has potential security risks if the keys or packages are not thoroughly verified.
sitepark/github-composer-release-test's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.