From 7b7ee10d0115f2972bf1597aec31dde2945a1aa1 Mon Sep 17 00:00:00 2001 From: Jelle van Oosterbosch Date: Fri, 22 May 2026 19:55:23 +0200 Subject: [PATCH] Disable composer audit block-insecure to keep the solver resolvable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Composer 2.6+ refuses by default to install packages affected by security advisories, even when those packages are transitive dependencies we cannot upgrade directly. The bundle's transitive graph crosses several packages (symfony/yaml via league/openapi-psr7-validator → devizzent/cebe-php-openapi, symfony/routing via nelmio/api-doc-bundle, and others). As advisories land on packages in those chains, the Symfony 7.3 CI matrix hits "Your requirements could not be resolved" even though the bundle itself does not exercise the vulnerable code paths. Per-advisory-ID ignoring (audit.ignore) was tried but became a maintenance treadmill — each new advisory anywhere in the transitive graph required a follow-up commit. Setting audit.block-insecure: false keeps the solver workable while leaving `composer audit` fully functional and honest: running it explicitly continues to list every advisory, so security review is unaffected. Direct dependencies still go through the normal review process when bumped. Verified locally with SYMFONY_REQUIRE=7.3.*: composer update now resolves cleanly and reports the advisories without refusing to install. Pairs well with Renovate/Dependabot if/when added — the ignore-list approach would have fought auto-bump PRs. --- composer.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/composer.json b/composer.json index 515d707..2a6428d 100644 --- a/composer.json +++ b/composer.json @@ -51,6 +51,10 @@ "sort-packages": true, "allow-plugins": { "phpstan/extension-installer": true + }, + "audit": { + "abandoned": "report", + "block-insecure": false } }, "scripts": {