View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007877 | OXID eShop (all versions) | 7. --- Other tools -------------- | public | 2025-12-31 16:07 | 2025-12-31 16:44 |
| Reporter | mboesing-tqgg | Assigned To | |||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | acknowledged | Resolution | open | ||
| Summary | 0007877: Unified namespace generator package requires `composer/composer` while `composer-runtime-api` is enough | ||||
| Description | Hey guys, you are requiring `composer/composer` in `oxid-esales/oxideshop-unified-namespace-generator`. Since the mentioned package is a plugin, its enough to require a specific runtime API and move the `composer/composer` dependency to `require-dev` to have proper auto-completion during development. It is bad practice to require `composer/composer` to enforce upstream projects having that dependency. I only know about the `oxid-esales/oxideshop-unified-namespace-generator` package but it seems that the metapackage is also requiring `composer/composer` which is (again) bad practice. https://github.com/OXID-eSales/oxideshop_metapackage_ce/blob/v7.4.0/composer.json Please consider not requiring `composer/composer` as it is not required by any of the OXID packages. | ||||
| Additional Information | https://getcomposer.org/changelog/2.9.3 https://www.cve.org/CVERecord?id=CVE-2025-67746 | ||||
| Tags | Security | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
|
|
Dear mboesing, This package is required in CE and Namespace, but also in our composer plugin and package version handler. Those Bundles are essential for the oxid framework and modul installation to work as intedend. The product managment will examine your report of bad practice and if a more specific requirement regime is feasible. Best Regards QA -SG- |
