hautelook/AliceBundle is gone - what's going on & what now?

Question

Answer:

The repository was taken offline by the administrator. The maintainer (Theo Fidry) is locked out. The reason for taking the repository offline is currently unknown.

Head over to https://github.com/nelmio/alice/issues/1089 to get more info & possible workarounds.

Original question:

Something odd is happening to a well-known Symfony Framework bundle right now. I have no idea if there is a real-time channel I can ask about it, so I'm asking here, hoping somebody else noticed:

1. I just had an error in my CI/CD pipeline caused by Composer package - apparently the Github repository https://github.com/hautelook/AliceBundle was briefly either taken private, or removed.
2. About 10 minutes later, the repository re-appeared as https://github.com/theofidry/AliceBundle, this time as a fork of https://github.com/nowiko/AliceBundle

I've got screenshots, Google has some cache (compare https://webcache.googleusercontent.com/search?q=cache:V9Wz5RytGcsJ:https://github.com/hautelook/AliceBundle+&cd=1&hl=en&ct=clnk&gl=au&client=safari and https://github.com/hautelook/AliceBundle).

The big question here is: what's going on? Is this a possible supply chain attack in progress?

---

Some resources

Original repository state:

Forked repo with no releases, tags etc:

The pipeline error I got:

    Failed to download hautelook/alice-bundle from dist: The "https://api.github.com/repos/hautelook/AliceBundle/zipball/17c5199b2a6efbc1383b0afe1cddfa3c176b7b6f" file could not be downloaded (HTTP/2 404 )
    Now trying to download from source
  - Syncing hautelook/alice-bundle (2.9.0) into cache
                                                                                                              
  [RuntimeException]                                                                                          
  Failed to clone https://github.com/hautelook/AliceBundle.git via https, ssh protocols, aborting.            
                                                                                                              
  - https://github.com/hautelook/AliceBundle.git                                                              
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    remote: Invalid username or password.                                                                     
    fatal: Authentication failed for 'https://github.com/hautelook/AliceBundle.git/'                          
                                                                                                              
  - [email protected]:hautelook/AliceBundle.git                                                                  
    Cloning into bare repository '/root/.composer/cache/vcs/https---github.com-hautelook-AliceBundle.git'...  
    error: cannot run ssh: No such file or directory                                                          
    fatal: unable to fork                                                                                     

Answer 1

As Théo Fidry, the maintainer of that package, recommends: his Github account holds an up-to-date fork which can be used by adding the following settings to composer.json:

    "repositories": [
        {
            "type": "vcs",
            "url": "https://github.com/theofidry/AliceBundle"
        }
    ],

Answer 2

This might not be a direct answer to your question but I hope it might help people having huge troubles in their CI pipeline as I had. What I did to solve the issue because the version uploaded by theofidry required PHP 7.3 at least (and my old app does not meet this requirement) was:

1. Go to your project folder in your local development
2. Copy the folder vendor/hautelook/alice-bundle somewhere
3. Run git init inside the copied folder
4. Create a git repository (e.g on github) and push the content
5. Back in your project, update your composer.json, change the version used for hautelook/alice-bundle to "dev-master" and add a vcs repository as specified below
6. Run composer update and you should be fine

Adapt url accordingly:

"repositories": [
    {
        "type": "vcs",
        "url": "[email protected]:YourRepository/AliceBundle"
    }
]

That solution would work only if you had already a version of AliceBundle somewhere