Command create-project fails on plugins

[janpecha]

Hello, create-project fails if it found composer.json with plugin in current working directory.

$ composer require frontpack/composer-assets-plugin

It creates this composer.json:

{
    "require": {
        "frontpack/composer-assets-plugin": "^0.11.1"
    },
    "config": {
        "allow-plugins": {
            "frontpack/composer-assets-plugin": true
        }
    }
}

Now if I run create-project in same directory (I used it on Github Actions) it fails:

$ composer create-project janpecha/code-checker _temp/code-checker --no-interaction

In PluginManager.php line 762:
                                                                                                                                                                                           
  frontpack/composer-assets-plugin contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe.                           
  You can run "composer config --no-plugins allow-plugins.frontpack/composer-assets-plugin [true|false]" to enable it (true) or disable it explicitly and suppress this exception (false)  
  See https://getcomposer.org/allow-plugins 

With option --no-plugins it works fine:

$ composer create-project janpecha/code-checker _temp/code-checker --no-interaction --no-plugins

Creating a "janpecha/code-checker" project at "_temp/code-checker"
Installing janpecha/code-checker (v1.0.1)
Plugins have been disabled.
  - Installing janpecha/code-checker (v1.0.1): Extracting archive
...

[ihor-sviziev]

Moved to #10928 (comment)

[Seldaek]

Thanks - that was actually a great find thanks to the plugin security feature, as plugins from the CWD had no business being loaded here when running create-project.

[secretsayan]

We are also experiencing the exact same issues in the exact same scenario for composer validate command. Moreover, with other commands provided by composer-plugins like composer-normalize we are facing the exact same issue, wherein the plugins declared in the CWD is trying to get loaded and disrupting the process.

[Seldaek]

Keeping open until I had time to investigate further what @secretsayan reported. In the meantime feel free to try with composer self-update --snapshot if the latest version fixes things for you on the create-project side.

[Seldaek]

@secretsayan can you describe some more what you are seeing with validate? If it fails because you are missing an allow-plugins in the project you are validating that makes sense to me and it is correct behavior IMO. Running validate loads plugins (as do most commands).

composer-normalize also works with the CWD's composer.json AFAIK, so not sure what you were referring to.

Anyway I'll close this again.. If you have a clear repro case for either of these issues please open a new issue with details.

[Seldaek]

@secretsayan sorry I spoke too fast - I dug into ergebnis/composer-normalize#865 and realized the problem could be dealt with internally much better. 0e59fbb should resolve your issues with validate command as well as normalize.

[secretsayan]

Thanks @Seldaek, this will solve a lot of issues we are currently facing :)

[secretsayan]

@Seldaek I have checked with Composer 2.3.10 and I found that composer validate is fixed now.

But issue still remains with composer normalize.