Skip to content

Commit 4ed9b65

Browse files
admanesachinadmanesachin
authored
Merge pull request #3 from magento-commerce/MC-42698
MC-42698: Add vbe's to allow list.
2 parents 2e846ae + f9d9472 commit 4ed9b65

File tree

1 file changed

+40
-21
lines changed

1 file changed

+40
-21
lines changed

src/Plugin.php

+40-21
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,20 @@ class Plugin implements PluginInterface, EventSubscriberInterface
4141
*/
4242
private $versionSelector;
4343

44+
/**#@+
45+
* Constant for VBE ALLOW LIST
46+
*/
47+
private const VBE_ALLOW_LIST = [
48+
'vertexinc',
49+
'yotpo',
50+
'klarna',
51+
'amzn',
52+
'dotmailer',
53+
'braintree',
54+
'paypal',
55+
'gene'
56+
];
57+
4458
/**
4559
* Initialize dependencies
4660
* @param Version|null $version
@@ -113,33 +127,38 @@ public function packageUpdate(PackageEvent $event): void
113127
$privateRepoVersion = '';
114128
$publicRepoVersion = '';
115129
$privateRepoUrl = '';
116-
foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {
117-
/** @var RepositoryInterface $repository */
118-
if ($repository instanceof ComposerRepository) {
119-
$found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
120-
$repoUrl = $repository->getRepoConfig()['url'];
121-
122-
if ($found) {
123-
if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
124-
$publicRepoVersion = $found->getFullPrettyVersion();
125-
} else {
126-
$currentPrivateRepoVersion = $found->getFullPrettyVersion();
127-
//private repo version should hold highest version of package
128-
if(empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')){
129-
$privateRepoVersion = $currentPrivateRepoVersion;
130-
$privateRepoUrl = $repoUrl;
130+
list($namespace, $project) = explode("/", $packageName);
131+
$isPackageVBE = in_array($namespace, self::VBE_ALLOW_LIST, true);
132+
133+
if(!$isPackageVBE) {
134+
135+
foreach ($this->composer->getRepositoryManager()->getRepositories() as $repository) {
136+
137+
/** @var RepositoryInterface $repository */
138+
if ($repository instanceof ComposerRepository) {
139+
$found = $this->versionSelector->findBestCandidate($this->composer, $packageName, $repository);
140+
$repoUrl = $repository->getRepoConfig()['url'];
141+
142+
if ($found) {
143+
if (strpos($repoUrl, self::URL_REPO_PACKAGIST) !== false) {
144+
$publicRepoVersion = $found->getFullPrettyVersion();
145+
} else {
146+
$currentPrivateRepoVersion = $found->getFullPrettyVersion();
147+
//private repo version should hold highest version of package
148+
if (empty($privateRepoVersion) || version_compare($currentPrivateRepoVersion, $privateRepoVersion, '>')) {
149+
$privateRepoVersion = $currentPrivateRepoVersion;
150+
$privateRepoUrl = $repoUrl;
151+
}
131152
}
132153
}
133154
}
134155
}
135-
}
136-
137-
138-
if ($privateRepoVersion && $publicRepoVersion && (version_compare($publicRepoVersion, $privateRepoVersion, '>'))) {
139-
$exceptionMessage = "Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org
156+
if ($privateRepoVersion && $publicRepoVersion && (version_compare($publicRepoVersion, $privateRepoVersion, '>'))) {
157+
$exceptionMessage = "Higher matching version {$publicRepoVersion} of {$packageName} was found in public repository packagist.org
140158
than {$privateRepoVersion} in private {$privateRepoUrl}. Public package might've been taken over by a malicious entity,
141159
please investigate and update package requirement to match the version from the private repository";
142-
throw new Exception($exceptionMessage);
160+
throw new Exception($exceptionMessage);
161+
}
143162
}
144163
}
145164
}

0 commit comments

Comments
 (0)