Composer "X contains a Composer plugin which is not allowed" in CI
Composer 2.2+ requires every plugin to be explicitly allowed via the allow-plugins config. In non-interactive CI, Composer cannot prompt to allow it, so an unlisted plugin is blocked and the install fails (or the plugin silently does not run).
What this error means
composer install fails or warns that a package "contains a Composer plugin which is currently not in your allow-plugins config." In CI it cannot prompt, so the plugin is skipped or the build errors depending on settings.
dealerdirect/phpcodesniffer-composer-installer contains a Composer
plugin which is currently not in your allow-plugins config. See
https://getcomposer.org/allow-plugins
Do you trust "dealerdirect/phpcodesniffer-composer-installer"? [y/N]Common causes
allow-plugins not configured for the plugin
Composer 2.2+ blocks plugins by default; the plugin your dependencies install is not listed in allow-plugins, so it cannot run in CI.
Non-interactive CI cannot answer the trust prompt
Locally you may have answered the prompt; in CI there is no TTY, so the unlisted plugin is denied automatically.
How to fix it
Allow the specific plugin in composer.json
List the trusted plugin explicitly so CI installs deterministically.
{
"config": {
"allow-plugins": {
"dealerdirect/phpcodesniffer-composer-installer": true,
"phpstan/extension-installer": true
}
}
}Set it from the CLI in CI if needed
Configure the allow flag for the plugin without editing the file by hand.
composer config --no-plugins allow-plugins.dealerdirect/phpcodesniffer-composer-installer true
composer install --no-interactionHow to prevent it
- List every trusted plugin under config.allow-plugins in composer.json.
- Avoid allow-plugins: true blanket trust; allow named plugins only.
- Commit the allow-plugins config so CI installs match local installs.