facebook-for-magento2 icon indicating copy to clipboard operation
facebook-for-magento2 copied to clipboard

Published 20 hours ago verified publisher icon facebookincubator

[Bug]: Higher matching version 1.4.5 was found in public repository packagist.org

Open leeroybrun opened this issue 2 years ago • 3 comments

Contact Details

[email protected]

What happened?

When trying to install the magento extension from composer, the install fail with this error:

[Exception]
 Higher matching version 1.4.5 of facebook/facebook-for-magento2 was found in public repository packagist.org
                              than 1.4.4 in private https://repo.magento.com. Public package might've been taken over by a malicious entity,
                              please investigate and update package requirement to match the version from the private repository

Is it normal? Is it planned to update the version on https://repo.magento.com or should we do something on our side to bypass this?

Thank you for your help and have a great day!

Magento Version

2.4.4

Plugin Version

1.4.5

Relevant log output

[Exception]
  Higher matching version 1.4.5 of facebook/facebook-for-magento2 was found in public repository packagist.org
                               than 1.4.4 in private https://repo.magento.com. Public package might've been taken over by a malicious entity,
                               please investigate and update package requirement to match the version from the private repository

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

leeroybrun avatar May 09 '22 11:05 leeroybrun

I think this is not a bug. It is more a security issue in magento itself. In default magento tries to load just from trustful repos like https://repo.magento.com.

In order to change this behaviour u can add temporary a canonical parameter to your composer.json:

"repositories": { "0": { "type": "composer", "url": "https://repo.magento.com/" } },

and change it temporary to:

"repositories": { "0": { "type": "composer", "url": "https://repo.magento.com/", "canonical": false } },

samueldemir avatar May 16 '22 21:05 samueldemir

Magento Repo needs updating to 1.4.5, currently 1.4.4. Packagist and latest GitHub release is 1.4.5.

https://marketplace.magento.com/facebook-facebook-for-magento2.html

benhath avatar May 31 '22 09:05 benhath

Quick fix during waiting for the vendor to fix it.

You can exclude this extension from the Magento repository using the following line: "exclude": ["facebook/facebook-for-magento2"] in your composer.json file

So your repository section should be like the following:

"0": {
        "type": "composer",
        "url": "https://repo.magento.com/",
        "exclude": ["facebook/facebook-for-magento2"]
}

Then composer will start to use the higher version from packagist.

Read more about composer priority behavior. Repository priorities

AboElnoor avatar Jun 05 '22 10:06 AboElnoor