[composer.json] Not to allow custom composer repositories type of [packages, notify-batch, VCS, pear, git] or have whitelisted packagist app servers

Problem/Motivation

I run into the following issue
#2954719: Composer Install Fails

For Example in mobiles:
If we do have an app at the App Store, and this App tries to install some app which I do not know that it’s a certified app and its not listed in the app store.
We we will be worried about the app.

Proposed resolution

https://getcomposer.org/doc/05-repositories.md

  • Not to allow custom composer repositories type of [packages, notify-batch, VCS, pear, git]
  • Have whitelisted packagist app servers

For example not to allow the commit to drupal.org git if the composer.json file has some text like:

{
    "repositories": [
        {
            "packagist.org": false
        }
    ]
}

Remaining tasks

Have a filter on git commits.
Show a message for users that module or theme has issues with the composer.json

User interface changes

N/A

API changes

  • Composer Filter on git commit.

Data model changes

N/A


Source: https://www.drupal.org/project/issues/rss/infrastructure