View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007877 | OXID eShop (all versions) | 7. --- Other tools -------------- | public | 2025-12-31 16:07 | 2026-01-06 11:14 |
| Reporter | mboesing-tqgg | Assigned To | |||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | acknowledged | Resolution | open | ||
| Summary | 0007877: Unified namespace generator package requires `composer/composer` while `composer-runtime-api` is enough | ||||
| Description | Hey guys, you are requiring `composer/composer` in `oxid-esales/oxideshop-unified-namespace-generator`. Since the mentioned package is a plugin, its enough to require a specific runtime API and move the `composer/composer` dependency to `require-dev` to have proper auto-completion during development. It is bad practice to require `composer/composer` to enforce upstream projects having that dependency. I only know about the `oxid-esales/oxideshop-unified-namespace-generator` package but it seems that the metapackage is also requiring `composer/composer` which is (again) bad practice. https://github.com/OXID-eSales/oxideshop_metapackage_ce/blob/v7.4.0/composer.json Please consider not requiring `composer/composer` as it is not required by any of the OXID packages. | ||||
| Additional Information | https://getcomposer.org/changelog/2.9.3 https://www.cve.org/CVERecord?id=CVE-2025-67746 | ||||
| Tags | Security | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
|
|
Dear mboesing, This package is required in CE and Namespace, but also in our composer plugin and package version handler. Those Bundles are essential for the oxid framework and modul installation to work as intedend. The product managment will examine your report of bad practice and if a more specific requirement regime is feasible. Best Regards QA -SG- |
|
|
All code you are refering to is related to composer-plugin-api only. There is NO need to require `composer/composer` at all. There is a whole section on the composer website about this: https://getcomposer.org/doc/articles/plugins.md Replace `composer/composer` with `composer-plugin-api` and only require `composer/composer` in `require-dev` as I outlined in my initial description and you can call it a day and never have these issues again. And please DO NOT pin `composer-plugin-api` in the same way you did for `composer/composer`. There are constraints in semver for a reason and at least for `composer` stuff there should not be any locking on specific versions but constraints to prevent upstream packages from updating... |
