Affected script: "install-scripts:post-install-cmd"
This script uses phive to install a package without progress display, but the concerning flags are --force-accept-unsigned and --trust-gpg-keys. The flag --force-accept-unsigned allows the instalment of packages without signatures, which is a security risk as it facilitates the installation of potentially harmful and unverified packages. The flag --trust-gpg-keys trusts specified GPG keys without verification. Trusting arbitrary keys can lead to the addition of malicious keys, which can further mishandle sensitive information or compromise the system.
sitepark/github-composer-release-test
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|