Composer 2.9.0 Automatic Security Blocking ignores --no-audit flag and COMPOSER_NO_AUDIT env variable #12607
Closed as not planned
Description
Drupal core had a few security advisories yesterday, so today our build in Github Actions failed because of the automatic security blocking, despite COMPOSER_NO_AUDIT being set to 1:
Run composer require --dev squizlabs/php_codesniffer
composer require --dev squizlabs/php_codesniffer
composer require --dev drupal/coder
shell: /usr/bin/bash -e {0}
env:
COMPOSER_PROCESS_TIMEOUT: 0
COMPOSER_NO_INTERACTION: 1
COMPOSER_NO_AUDIT: 1
./composer.json has been updated
Running composer update squizlabs/php_codesniffer
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- drupal/gin is locked to version 3.1.0 and an update of this package was not requested.
- drupal/gin 3.1.0 requires drupal/core ^9 || ^10 || ^11 <11.2 -> found drupal/core[9.0.0-alpha1, ..., 9.5.x-dev, 10.0.0-alpha1, ..., 10.6.x-dev, 11.0.0-alpha1, ..., 11.1.x-dev] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
Composer version in CI is 2.9.0:
Run shivammathur/setup-php@v2
with:
php-version: 8.3
tools: composer
extensions: mbstring, pdo, xml, gd, curl, zip, bcmath, intl
ini-file: production
github-token: ***
/usr/bin/bash /home/runner/work/_actions/shivammathur/setup-php/v2/src/scripts/run.sh
==> Setup PHP
✓ PHP Updated to PHP 8.3.27
==> Setup Extensions
✓ mbstring Enabled
✓ pdo Enabled
✓ xml Enabled
✓ gd Enabled
✓ curl Enabled
✓ zip Enabled
✓ bcmath Enabled
✓ intl Enabled
==> Setup Tools
✓ composer Added composer 2.9.0
The same thing happens if I try locally after updating to 2.9.0 and use the --no-audit flag
ddev composer require --dev squizlabs/php_codesniffer --no-audit
./composer.json has been updated
Running composer update squizlabs/php_codesniffer
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies
Problem 1
- drupal/gin is locked to version 3.1.0 and an update of this package was not requested.
- drupal/gin 3.1.0 requires drupal/core ^9 || ^10 || ^11 <11.2 -> found drupal/core[9.0.0-alpha1, ..., 9.5.x-dev, 10.0.0-alpha1, ..., 10.6.x-dev, 11.0.0-alpha1, ..., 11.1.x-dev] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
Is it intentional that the no audit option is ignored by the automatic security blocking feature, or is this a bug?