Composer: Downloading Random Code Is Not A Security Vulnerability?

This sounds like a serious problem and I hope the composer team is quick in coming up with a solution.

If your dependencies lead to a conflict with a package Composer may decide to install a fork instead which does not have the same conflict. If you notice that an unexpected fork is installed when running composer update you can debug the dependency problem that lead to the fork installation. Use the conflict key in your composer.json to blacklist the fork.

I do not know or understand the original reasoning for allowing forks but I am in the camp that it should just fail and tell me what went wrong. The majority of the time when I run composer update I hide my terminal because I already know it’s going to be a while. Rarely, if ever, have I actually checked and seen what it did.

Then again maybe I’m just odd?