Identify & vet commonly used composer plugins in the Drupal ecosystem

Problem/Motivation

Follow-up for 📌 Limit trusted Composer plugins to a known list, allow user to add more Fixed .

📌 Limit trusted Composer plugins to a known list, allow user to add more Fixed explicitly allows all composer plugins used by Drupal core. This was not hard to achieve because despite not having ComposerPluginValidator until that issue, of course all work to make Automatic Updates function as expected already means that core's composer plugins either work without limitations or got the necessary validators already.

But other modules may install additional composer plugins, for example the https://www.drupal.org/project/simplesamlphp_auth → module depends on https://github.com/simplesamlphp/simplesamlphp ^1.19, whose composer.json has an indirect dependency on simplesamlphp/composer-module-installer.

Right now, DrupalCI does not allow additional composer plugins to be installed, so that ironically is a pretty good way to discover which modules need additional composer dependencies … which is exactly why #3334914: Testing is broken because simplesamlphp/composer-module-installer contains a Composer plugin which is blocked → exists for simplesamlphp/composer-module-installer 😅

Based on the absence of more people complaining in #3334914, it looks like there's fairly few modules using composer plugins 👍

Steps to reproduce

Try to install e.g. https://www.drupal.org/project/simplesamlphp_auth → .

Proposed resolution

Research how widespread the contrib impact is. Based on

• http://grep.xnddx.ru/search?text=allow-plugins&filename=
• http://grep.xnddx.ru/search?text=installer&filename=composer.json
• http://grep.xnddx.ru/search?text=plugin&filename=composer.json

it doesn't seem to be widespread at all!

Remaining tasks

TBD

User interface changes

TBD

API changes

None.

Data model changes

None.