Composer 2.9: audit CVE ignore does not work for package resolver #12624
Description
My composer.json:
{
"require": {
"twig/twig": "3.16.0"
},
"config": {
"audit": {
"ignore": {
"CVE-2025-24374": "Allow twig 3.16.0"
}
}
}
}I did an ignore of a CVE for composer audit in the past, but now with the release of 2.9 this ignore is not used in the package resolver and I need to add the same security issue but with the packagist ID. I would expect that this CVE identifier would also work in the resolver.
{
"require": {
"twig/twig": "3.16.0"
},
"config": {
"audit": {
"ignore": {
"CVE-2025-24374": "Allow twig 3.16.0",
"PKSA-v3kg-5xkr-pykw": "This is the same secuirty issue as above but only this ignore works to allow twig 3.16.0"
}
}
}
}
Output of composer diagnose:
composer diagnose
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.twig/twig : exact version constraints (3.16.0) should be avoided if the package follows semantic versioning
Checking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.41.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK does not expire
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.9.1
PHP version: 8.4.13
PHP binary path: /opt/homebrew/Cellar/php/8.4.13_1/bin/php
OpenSSL version: OpenSSL 3.5.2 5 Aug 2025
curl version: 8.16.0 libz 1.2.12 brotli brotli/1.1.0 zstd supported ssl OpenSSL/3.6.0 HTTP 1.0, 1.1, 2, 3
zip: extension present, unzip present, 7-Zip not available
When I run this command:
composer update
I get the following output:
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Root composer.json requires twig/twig 3.16.0 (exact version match: 3.16.0 or 3.16.0.0), found twig/twig[v3.16.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-v3kg-5xkr-pykw") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
And I expected this to happen:
Loading composer repositories with package information
Updating dependencies
Lock file operations: 5 installs, 0 updates, 0 removals
- Locking symfony/deprecation-contracts (v3.6.0)
- Locking symfony/polyfill-ctype (v1.33.0)
- Locking symfony/polyfill-mbstring (v1.33.0)
- Locking symfony/polyfill-php81 (v1.33.0)
- Locking twig/twig (v3.16.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 5 installs, 0 updates, 0 removals
- Downloading twig/twig (v3.16.0)
- Installing symfony/polyfill-php81 (v1.33.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.33.0): Extracting archive
- Installing symfony/polyfill-ctype (v1.33.0): Extracting archive
- Installing symfony/deprecation-contracts (v3.6.0): Extracting archive
- Installing twig/twig (v3.16.0): Extracting archive
Generating autoload files
5 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Found 1 ignored security vulnerability advisory affecting 1 package.
Run "composer audit" for a full list of advisories.