Probably don't need composer/installers under composer v2?

[beporter]

Seems like this might be the cause of composer install creating a /Plugin root folder and installing every package that has a type: cakephp-plugin in their own composer.json into that (tracked) folder.

It's not clear to me how to detect whether this plugin is being composer installed via composer v1 or v2, but on the master / 4.x branch it's probably safe to remove composer/installers from the composer.json file in THIS project.

The issue is fixed when a different project that runs composer require loadsys/cakephp-config-read:~4.0 should NOT end up with a root Plugin/ folder when running composer install.

[beporter]

Reproduction:

$ mkdir tmp/configreadtest

$ cd tmp/configreadtest/

$ composer --version
Composer version 2.2.3 2021-12-31 12:18:53

$ composer init

# **SNIP**

$ composer require loadsys/cakephp-config-read:~4.0
./composer.json has been updated
Running composer update loadsys/cakephp-config-read
Loading composer repositories with package information
Updating dependencies
Lock file operations: 11 installs, 0 updates, 0 removals
  - Locking aura/intl (3.0.0)
  - Locking cakephp/cakephp (3.10.2)
  - Locking cakephp/chronos (1.3.0)
  - Locking composer/installers (v1.12.0)
  - Locking laminas/laminas-diactoros (1.8.7p2)
  - Locking laminas/laminas-zendframework-bridge (1.4.1)
  - Locking loadsys/cakephp-config-read (4.0.0)
  - Locking paragonie/random_compat (v9.99.99)
  - Locking psr/http-message (1.0.1)
  - Locking psr/log (1.1.4)
  - Locking psr/simple-cache (1.0.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 11 installs, 0 updates, 0 removals
  - Downloading psr/simple-cache (1.0.1)
  - Downloading loadsys/cakephp-config-read (4.0.0)
  - Installing composer/installers (v1.12.0): Extracting archive
composer/installers contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "composer/installers" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
  - Installing aura/intl (3.0.0): Extracting archive
  - Installing cakephp/chronos (1.3.0): Extracting archive
  - Installing psr/http-message (1.0.1): Extracting archive
  - Installing laminas/laminas-zendframework-bridge (1.4.1): Extracting archive
  - Installing laminas/laminas-diactoros (1.8.7p2): Extracting archive
  - Installing psr/simple-cache (1.0.1): Extracting archive
  - Installing psr/log (1.1.4): Extracting archive
  - Installing paragonie/random_compat (v9.99.99): Extracting archive
  - Installing cakephp/cakephp (3.10.2): Extracting archive
  - Installing loadsys/cakephp-config-read (4.0.0): Extracting archive
3 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
2 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

$ ll
total 64
drwxr-xr-x   3 beporter  staff     96 Jan  1 11:28 Plugin/        # <----- WHAT???
-rw-r--r--   1 beporter  staff    449 Jan  1 11:28 composer.json
-rw-r--r--   1 beporter  staff  28435 Jan  1 11:28 composer.lock
drwxr-xr-x   2 beporter  staff     64 Jan  1 11:28 src/
drwxr-xr-x  10 beporter  staff    320 Jan  1 11:28 vendor/

I think is the root cause of the issue is the line: Do you trust "composer/installers" to execute code

[beporter]

Possible workaround:

In your project's own composer.json:

    "config": {
        # **snip**
        "allow-plugins": {
            "composer/installers": false
        }
    }

[beporter]

I should really check Cake 4 compatibility too...