Search code examples
symfonycomposer-phpnelmio-alice

hautelook/AliceBundle is gone - what's going on & what now?

Answer:

The repository was taken offline by the administrator. The maintainer (Theo Fidry) is locked out. The reason for taking the repository offline is currently unknown.

Head over to https://github.com/nelmio/alice/issues/1089 to get more info & possible workarounds.

Original question:

Something odd is happening to a well-known Symfony Framework bundle right now. I have no idea if there is a real-time channel I can ask about it, so I'm asking here, hoping somebody else noticed:

  1. I just had an error in my CI/CD pipeline caused by Composer package - apparently the Github repository https://github.com/hautelook/AliceBundle was briefly either taken private, or removed.
  2. About 10 minutes later, the repository re-appeared as https://github.com/theofidry/AliceBundle, this time as a fork of https://github.com/nowiko/AliceBundle

I've got screenshots, Google has some cache (compare https://webcache.googleusercontent.com/search?q=cache:V9Wz5RytGcsJ:https://github.com/hautelook/AliceBundle+&cd=1&hl=en&ct=clnk&gl=au&client=safari and https://github.com/hautelook/AliceBundle).

The big question here is: what's going on? Is this a possible supply chain attack in progress?

Some resources

Original repository state:

Original repository state

Forked repo with no releases, tags etc:

Forked repo with no releases, tags etc

The pipeline error I got:

    Failed to download hautelook/alice-bundle from dist: The "https://api.github.com/repos/hautelook/AliceBundle/zipball/17c5199b2a6efbc1383b0afe1cddfa3c176b7b6f" file could not be downloaded (HTTP/2 404 )
    Now trying to download from source
  - Syncing hautelook/alice-bundle (2.9.0) into cache
                                                                                                              
  [RuntimeException]                                                                                          
  Failed to clone https://github.com/hautelook/AliceBundle.git via https, ssh protocols, aborting.            
                                                                                                              
  - https://github.com/hautelook/AliceBundle.git                                                              
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    remote: Invalid username or password.                                                                     
    fatal: Authentication failed for 'https://github.com/hautelook/AliceBundle.git/'                          
                                                                                                              
  - git@github.com:hautelook/AliceBundle.git                                                                  
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    error: cannot run ssh: No such file or directory                                                          
    fatal: unable to fork
Solution

  • As Théo Fidry, the maintainer of that package, recommends: his Github account holds an up-to-date fork which can be used by adding the following settings to composer.json:

        "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/theofidry/AliceBundle"
        }
    ],