Commit 8b0c1e6
authored
fix(ci): skip composer advisory audit for integration test installs (#3950)
* fix(ci): skip composer advisory audit for framework integration test installs
A Packagist security advisory (PKSA-mdq4-51ck-6kdq / CVE-2026-48019, CRLF
injection in the default email validation rule) flags essentially all
Laravel framework versions this repo pins for integration tests
(>=9,<12.60.0 and >=13,<13.10.0). Composer's resolver refuses to load the
pinned versions, so every Laravel integration job fails during the composer
setup phase before any test runs.
These are intentionally pinned test fixtures, not shipped code, so disable
composer's resolver-level 'block-insecure' audit at the shared composer
invocation point (run_composer_with_retry). --no-audit only skips the
post-install audit report and does NOT lift the resolver block, so the
audit.block-insecure config must be set on the project being updated.
This is applied at the single shared point used by all framework/integration
composer installs, so it covers every affected Laravel version at once (and
harmlessly also covers other frameworks such as Symfony).
* fix(ci): tolerate composer audit config on Composer 2.2 (PHP < 7.2)
audit.block-insecure only exists since Composer 2.4; PHP 7.0/7.1 use the
Composer 2.2 LTS which rejects the setting and aborted every composer-driven
job. Composer 2.2 has no resolver block-insecure audit anyway, so ignore the
failure there with '|| true'.1 parent b8a27a3 commit 8b0c1e6
1 file changed
Lines changed: 4 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1213 | 1213 | | |
1214 | 1214 | | |
1215 | 1215 | | |
| 1216 | + | |
| 1217 | + | |
| 1218 | + | |
1216 | 1219 | | |
| 1220 | + | |
1217 | 1221 | | |
1218 | 1222 | | |
1219 | 1223 | | |
| |||
0 commit comments