Run security advisory filter first to avoid inconsistent states due to the optimizer not being aware of further removals coming after

Seldaek · Seldaek · commit 80503cbb9666 · 2025-11-13T13:41:11.000+01:00
Fixes #12603
diff --git a/src/Composer/DependencyResolver/PoolBuilder.php b/src/Composer/DependencyResolver/PoolBuilder.php
@@ -350,8 +350,10 @@ public function buildPool(array $repositories, Request $request): Pool
 
         $this->io->debug('Built pool.');
 
-        $pool = $this->runOptimizer($request, $pool);
+        // filter vulnerable packages before optimizing the pool otherwise we may end up with inconsistent state where the optimizer took away versions
+        // that were not vulnerable and now suddenly the vulnerable ones are removed and we are missing some versions to make it solvable
         $pool = $this->runSecurityAdvisoryFilter($pool, $repositories);
+        $pool = $this->runOptimizer($request, $pool);
 
         Intervals::clear();
 
