-
Notifications
You must be signed in to change notification settings - Fork 40
Higher matching version was found on packagist.org
When installing the Channable Magento 2 extension, you might run into this error:
Higher matching version X.X.X of magmodules/magento2-channable was found in public repository packagist.org
than X.X.X in private https://repo.magento.com. Public package might've been taken over by a malicious entity,
please investigate and update package requirement to match the version from the private repository.
A typical composer.json from a Magento installation includes two or more repositories:
- Packagist.org, including unless manually disabled.
- repo.magento.com, under the repositories attribute.
There can be more repositories from different vendors in the composer.json, but these two are included in the default Magento installation.
This error is happening because the Magento extension for Magento 2 is available on both repositories: It is available on Packagist and on the Magento Marketplace.
Because of the lengthy review process of the Magento Marketplace, it can occur that the latest version is not yet present. In rare cases, hackers have registered the private namespaces on Packagist to get malicious code installed by the automatic process. This is called a Dependency Confusion Attack. Composer now warns you to investigate if this is the case.
There are a few ways to solve this problem.
The easiest way is to exclude Channable module from the check:
"repo.magento.com": {
"url": "https://repo.magento.com/",
"exclude": ["magmodules/magento2-channable"]
}Open your composer.json and find the magmodules/magento2-channable entry. Change the required version to match the lowest version from the error message.
Open your composer.json, and remove the repo.magento.com entry from the repositories attribute. Install the Channable Magento 2 extension using this Composer:
composer require magmodules/magento2-channable
When that command is finished, you can restore the repo.magento.com entry.