A new composer plugin to become available with Magento 2.4.3 release


Recently, Magento warned the extension developers that a possible vulnerability was detected during a recent Adobe audit of the composer package repository at A user who wants to cause harm can claim an unused namespace at and upload some malware. It can be added to the merchant’s systems using the dependency confusion method.

The new plugin contains additional logic which:

  • sends a request for the private repository referenced and shows an exception if it can’t be reached.
  • verifies that the package is present both in private repositories and Packagist at the same time, and the package version from the public repository is higher while still satisfying the requirements.

This plugin will be released in August as part of Adobe Commerce 2.4.3. Also, it will become a part of the Extension Quality Program, so to avoid EQP failure, the developers should take the plugin into account. To do that, please ensure:

  • that you are the owner of your namespace at
  • the new plugin is being used for extension installation tests.

The plugin is available on Magento GitHub.

Reading next


Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.