Higher matching version was found on packagist.org
When installing the Mollie Magento 2 extension, you might run into this error:
Higher matching version X.X.X of mollie/magento2 was found in public repository packagist.org
than X.X.X in private https://repo.magento.com. Public package might've been taken over by a malicious entity,
please investigate and update package requirement to match the version from the private repository.
A typical composer.json from a Magento installation includes two or more repositories:
- Packagist.org, including unless manually disabled.
- repo.magento.com, under the repositories attribute.
There can be more repositories from different vendors in the composer.json, but these two are included in the default Magento installation.
This error is happening because the Magento extension for Magento 2 is available on both repositories: It is available on Packagist and on the Magento Marketplace.
Because of the lengthy review process of the Magento Marketplace, it can occur that the latest version is not yet present. In rare cases, hackers have registered the private namespaces on Packagist to get malicious code installed by the automatic process. This is called a Dependency Confusion Attack. Composer now warns you to investigate if this is the case.
There are a few ways to solve this problem.
The easiest way is to exclude Mollie from the check:
"repo.magento.com": {
"url": "https://repo.magento.com/",
"exclude": ["mollie/*"]
}Open your composer.json and find the mollie/magento2 entry. Change the required version to match the lowest version from the error message.
Open your composer.json, and remove the repo.magento.com entry from the repositories attribute. Install the Mollie Magento 2 extension using this Composer:
composer require mollie/magento2
When that command is finished, you can restore the repo.magento.com entry.
- Install Mollie using Composer
- Update Mollie using Composer
- Install Mollie using the Magento® Marketplace