Recently I am working on a Magento project and just trying to run the composer command to install a module.
composer require magmodules/magento2-channable
I have faced an error with the given statement on the command line screen,
Higher matching version 1.13.0 of magmodules/magento2-channable was found in public repository packagist.org than 1.12.1 in private https://repo.magento.com. Public package might've been taken over by a malicious entity, please investigate and update package requirement to match the version from the private repository.
This error will prevent you to install the module in the system.
From Adobe Commerce 2.4.3, New Composer Plugin was introduced to the protection of merchant sites from dependency confusion attacks. This plugin is used to validate composer packages.
magento/composer-dependency-version-audit-plugin
The cause of the Issue was the module version number in the public vs private repo. In a GitHub Public, repository module version is 1.13.0 while in the Magento marketplace module, the latest version was 1.12.1 and that will conflict with the composer command.
How to fix the issue of installation of the given module?
I have fixed it via the modification on the composer.json file from the Magento root path.
1) First Way:
Just Edit the composer.json file with the given line,
Add the canonical tag false to the private repositories section in your composer file, In our case error throws from the https://repo.magento.com/ repositories so we need to add an extra key value on that repositories object line.
“canonical”: false
Just add extra key-value pair to the {"type": "composer", "url": "https://repo.magento.com/"}line,
The final Code looks like this in the composer file,
"repositories": [
{"type": "composer", "url": "https://repo.magento.com/", "canonical": false},
]
Save the file and run again the command to successfully install the module.
2) Second Way,
This is the better way to resolve the issue,
You need to exclude the current module package from the composer.json file,
"repositories": [
{
"type": "composer", "url": "https://repo.magento.com/",
"exclude": ["magmodules/magento2-channable"]
}
]
In this way, you can exclude specific modules from the composer to check validation.
While In the future, If a Third-party extension provider will update the both public and private repo with the same version, you need to remove a canonical tag from the composer.json file.