Solution

Recommendations to merchants

  • Take the error message shown when the plugin stops the composer install/update seriously, and contact the extension developer if you recognize the potentially compromised package.
  • You can still install Adobe Commerce with the safe version of the package from the Marketplace or another trusted private repository.
  • Change the required package version in your composer.json to the exact version found in the Marketplace in order to proceed with the composer install/update.

Expectations from extension developers

  • There is no way to know for certain if the package for a plugin, if from a public repo, has been compromised or not. The plugin will detect when a public version of a package at packagist.org has a higher version than the one available from a private repo like repo.magento.com. We strongly recommend that extension developers avoid such situations and do not publish newer versions publicly than those available through repo.magento.com.
  • Adobe Commerce understands that the Marketplace review process may delay extensions release availability, but the process is there to keep merchants safe and to help extensions developers find accidental mistakes they might have missed.
Previous pageUsing Data Exports to pinpoint discrepancies
Next pageStock images not displayed, Adobe Commerce and Magento Open Source 2.3.7-p2

Commerce


Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more