fix(ci): skip composer advisory audit for integration test installs#3950
Open
Leiyks wants to merge 3 commits into
Open
fix(ci): skip composer advisory audit for integration test installs#3950Leiyks wants to merge 3 commits into
Leiyks wants to merge 3 commits into
Conversation
…installs A Packagist security advisory (PKSA-mdq4-51ck-6kdq / CVE-2026-48019, CRLF injection in the default email validation rule) flags essentially all Laravel framework versions this repo pins for integration tests (>=9,<12.60.0 and >=13,<13.10.0). Composer's resolver refuses to load the pinned versions, so every Laravel integration job fails during the composer setup phase before any test runs. These are intentionally pinned test fixtures, not shipped code, so disable composer's resolver-level 'block-insecure' audit at the shared composer invocation point (run_composer_with_retry). --no-audit only skips the post-install audit report and does NOT lift the resolver block, so the audit.block-insecure config must be set on the project being updated. This is applied at the single shared point used by all framework/integration composer installs, so it covers every affected Laravel version at once (and harmlessly also covers other frameworks such as Symfony).
|
Leiyks
force-pushed
the
leiyks/fix-ci-laravel-composer-audit
branch
from
b0b1e29 to
7712c44
Compare
Leiyks
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7712c4481d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
audit.block-insecure only exists since Composer 2.4; PHP 7.0/7.1 use the Composer 2.2 LTS which rejects the setting and aborted every composer-driven job. Composer 2.2 has no resolver block-insecure audit anyway, so ignore the failure there with '|| true'.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
We pin specific framework versions as integration-test fixtures. When Packagist publishes a security advisory against a pinned version, composer's resolver-level
block-insecureaudit refuses to load it, and the affected integration jobs fail during composer setup before any test runs:This is an environmental break, not a code regression — we intentionally pin these versions and don't want to bump them.
Fix
Disable
audit.block-insecureat the single shared composer invocation point (run_composer_with_retryin the Makefile), beforecomposer update. This unblocks any advisory-flagged pinned version across all framework/integration installs at once.Note:
--no-auditonly skips the post-install audit report; it does not lift the resolver block. Theaudit.block-insecureconfig must be set on the project being updated (verified in docker).