Skip to content

Commit 81891ec

Browse files
authored
chore: modify fix for security advisories (#4012)
Signed-off-by: Alexandre Rulleau <alexandre.rulleau@datadoghq.com>
1 parent 8b0c1e6 commit 81891ec

1 file changed

Lines changed: 2 additions & 6 deletions

File tree

Makefile

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -554,7 +554,8 @@ TEST_EXTRA_ENV ?=
554554

555555
### DDTrace tests ###
556556
TESTS_ROOT = ./tests
557-
COMPOSER = $(if $(ASAN), ASAN_OPTIONS=detect_leaks=0) COMPOSER_MEMORY_LIMIT=-1 composer --no-interaction
557+
# Note: We disable composer's security blocking so that pinned dependency versions flagged by a security advisory (e.g. Laravel/framework PKSA-mdq4-51ck-6kdq / CVE-2026-48019) still resolve.
558+
COMPOSER = $(if $(ASAN), ASAN_OPTIONS=detect_leaks=0) COMPOSER_NO_SECURITY_BLOCKING=1 COMPOSER_MEMORY_LIMIT=-1 composer --no-interaction
558559
DDPROF_IDENTIFIER ?=
559560
PHPUNIT_OPTS ?=
560561
PHPUNIT_JUNIT ?=
@@ -1212,12 +1213,7 @@ FILTER ?= .
12121213
MAX_RETRIES := 3
12131214
RUN_WEB_BENCHES_WITH_DDPROF ?=
12141215

1215-
# Note: The "composer show" command below outputs a csv with pairs of dependency;version such as "phpunit/phpunit;9.6.17"
1216-
# Note: We disable composer's "block-insecure" audit so that pinned dependency versions flagged by a
1217-
# security advisory still resolve. The audit.block-insecure setting only exists since Composer 2.4;
1218-
# the Composer 2.2 LTS used for PHP < 7.2 has no such resolver block, so we ignore the failure there.
12191216
define run_composer_with_retry
1220-
$(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false || true
12211217
for i in $$(seq 1 $(MAX_RETRIES)); do \
12221218
echo "Attempting composer update (attempt $$i of $(MAX_RETRIES))..."; \
12231219
$(COMPOSER) --working-dir=$(if $1,$1,.) update $2 && break || (echo "Retry $$i failed, waiting 5 seconds before next attempt..." && sleep 5); \

0 commit comments

Comments
 (0)