From f842f629698128d8cb426e0f2dd4f1df7467d7e6 Mon Sep 17 00:00:00 2001 From: Alexandre Rulleau Date: Wed, 3 Jun 2026 17:24:52 +0200 Subject: [PATCH 1/2] fix(ci): skip composer advisory audit for framework integration test installs A Packagist security advisory (PKSA-mdq4-51ck-6kdq / CVE-2026-48019, CRLF injection in the default email validation rule) flags essentially all Laravel framework versions this repo pins for integration tests (>=9,<12.60.0 and >=13,<13.10.0). Composer's resolver refuses to load the pinned versions, so every Laravel integration job fails during the composer setup phase before any test runs. These are intentionally pinned test fixtures, not shipped code, so disable composer's resolver-level 'block-insecure' audit at the shared composer invocation point (run_composer_with_retry). --no-audit only skips the post-install audit report and does NOT lift the resolver block, so the audit.block-insecure config must be set on the project being updated. This is applied at the single shared point used by all framework/integration composer installs, so it covers every affected Laravel version at once (and harmlessly also covers other frameworks such as Symfony). --- Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile b/Makefile index 1f9328e630..36a2de54d4 100644 --- a/Makefile +++ b/Makefile @@ -1213,7 +1213,12 @@ MAX_RETRIES := 3 RUN_WEB_BENCHES_WITH_DDPROF ?= # Note: The "composer show" command below outputs a csv with pairs of dependency;version such as "phpunit/phpunit;9.6.17" +# Note: We disable composer's "block-insecure" audit so that pinned dependency versions flagged by a +# security advisory (e.g. Laravel/framework PKSA-mdq4-51ck-6kdq / CVE-2026-48019) still resolve. These +# are intentionally pinned test fixtures, not shipped code; --no-audit only skips the post-install report +# and does NOT lift the resolver-level block, so the config must be set on the project being updated. define run_composer_with_retry + $(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false for i in $$(seq 1 $(MAX_RETRIES)); do \ echo "Attempting composer update (attempt $$i of $(MAX_RETRIES))..."; \ $(COMPOSER) --working-dir=$(if $1,$1,.) update $2 && break || (echo "Retry $$i failed, waiting 5 seconds before next attempt..." && sleep 5); \ From f34210bd4d39d633cb55220a6d6d62e672335c75 Mon Sep 17 00:00:00 2001 From: Alexandre Rulleau Date: Mon, 22 Jun 2026 16:17:43 +0200 Subject: [PATCH 2/2] fix(ci): tolerate composer audit config on Composer 2.2 (PHP < 7.2) audit.block-insecure only exists since Composer 2.4; PHP 7.0/7.1 use the Composer 2.2 LTS which rejects the setting and aborted every composer-driven job. Composer 2.2 has no resolver block-insecure audit anyway, so ignore the failure there with '|| true'. --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 667931c03b..97ff51d4e8 100644 --- a/Makefile +++ b/Makefile @@ -1214,9 +1214,10 @@ RUN_WEB_BENCHES_WITH_DDPROF ?= # Note: The "composer show" command below outputs a csv with pairs of dependency;version such as "phpunit/phpunit;9.6.17" # Note: We disable composer's "block-insecure" audit so that pinned dependency versions flagged by a -# security advisory still resolve. +# security advisory still resolve. The audit.block-insecure setting only exists since Composer 2.4; +# the Composer 2.2 LTS used for PHP < 7.2 has no such resolver block, so we ignore the failure there. define run_composer_with_retry - $(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false + $(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false || true for i in $$(seq 1 $(MAX_RETRIES)); do \ echo "Attempting composer update (attempt $$i of $(MAX_RETRIES))..."; \ $(COMPOSER) --working-dir=$(if $1,$1,.) update $2 && break || (echo "Retry $$i failed, waiting 5 seconds before next attempt..." && sleep 5); \