Skip to content

Composer update: filter packages with security advisories from pool #11956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Seldaek merged 15 commits into from
Nov 6, 2025
Merged

Composer update: filter packages with security advisories from pool #11956

Seldaek merged 15 commits into from
Nov 6, 2025

Conversation

@glaubinix
Copy link
Contributor

@glaubinix glaubinix commented Apr 29, 2024
edited
Loading

Please note, this is still a very rough draft missing tests, cleanup and taking a few shortcuts. However, feedback is already appreciated.

Idea

Composer already has an audit functionality that reports any package used by a project with security advisories as part of an install/update/audit command. This PR takes this one step further and filters any packages with security advisories from the pool of available packages during a composer updatecommand before the pool get optimized.

The functionality uses cached metadata files wherever possible. However, it is possible that it will trigger a call to the security advisories API endpoint on packagist.org if multiple Composer repositories are defined and not all packages were looked up before on packagist.org.

This could potentially replace the need for projects to install a special package defining conflicts with packages that have security advisories.

Sample composer.json

{
    "name": "acme/project",
    "version": "1.0",
    "repositories": [
    ],
    "require": {
        "doctrine/cache": "<=1.3.0,>=1.0.0"
    }
}

How this currently looks in Composer with verbose output

Running 2.7.999-dev+source (@release_date@) with PHP
Reading ./composer.json (/tmp/composer.json)
Loading config file ~/.composer/config.json
Loading config file ~/.composer/auth.json
Loading config file ./composer.json (/tmp/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Reading ~/.composer/composer.json
Loading config file ~/.composer/config.json
Loading config file ~/.composer/auth.json
Loading config file ~/.composer/composer.json (~/.composer/composer.json)
Loading config file ~/.composer/auth.json
Reading ~/.composer/auth.json
Reading ./composer.lock (/tmp/composer.lock)
Reading /tmp/vendor/composer/installed.json
Reading ~/.composer/vendor/composer/installed.json
Loading composer repositories with package information
Reading ~/Library/Caches/composer/repo/https---repo.packagist.org/packages.json from cache
Downloading https://repo.packagist.org/packages.json if modified
[200] https://repo.packagist.org/packages.json
Writing ~/Library/Caches/composer/repo/https---repo.packagist.org/packages.json into cache
Downloading https://repo.packagist.org/p2/doctrine/cache.json
[200] https://repo.packagist.org/p2/doctrine/cache.json
Writing ~/composer-cache/repo/https---repo.packagist.org/provider-doctrine~cache.json into cache
Built pool.
Running security advisory pool filter.
Reading ~/composer-cache/repo/https---repo.packagist.org/provider-doctrine~cache.json from cache
Security advisory pool filter completed in 0.001 seconds
Found 105 package versions referenced in your dependency graph. 1 (1%) were filtered away.
Running pool optimizer.
Updating dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Reading ~/composer-cache/repo/https---repo.packagist.org/provider-doctrine~cache.json from cache
Your requirements could not be resolved to an installable set of packages.

Problem 1
  Problem 1
    - Root composer.json requires doctrine/cache <=1.3.0,>=1.0.0, found doctrine/cache[v1.0, v1.1, v1.2.0, v1.3.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-5g3y-77s3-wsh1") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Implementation

The PR introduces two new audit config flags. block-insecure (default: true) which removes any version affected by security advisories from the pool and block-abandoned (default: false) which removes all abandoned packages from the pool. The changes have no impact on thecomposer install command.

What else does this PR provide

Happy to extract any feature into a separate PR if this helps

  • Add support to define security advisories in package type repositories (easier for testing and allows users to define advisories in their project)
  • Add all audit command input options as config option (ignore-severity, ignore-unreachable)

@Seldaek Seldaek added this to the 2.8 milestone May 27, 2024
@Seldaek
Copy link
Member

Seldaek commented May 27, 2024

Cool thanks, not sure either how to answer your questions yet. But I'd say probably needs to be optional, and probably abandoned filtering should also be an option at that level? Maybe like "audit": {"block-insecure": bool, "block-abandoned": bool}?

Does it work on install too btw if an insecure package already made its way into the lock file?

As install runs through the pool builder etc as well, I am thinking it might just work, but it'd be good to test.. And I'm not sure if that should be additionally opt-in behavior as it might break pipelines whenever an advisory is released.

@glaubinix
Copy link
Contributor Author

glaubinix commented Jun 4, 2024

Having this as separate config options sounds like a good idea! Applied this already. Blocking on install doesn't work yet as the repository list during the composer install command currently only contains the platform/lock/local repositories and none of the once configured in the repositories section in the composer.json file. So the repository set will always return 0 advisories. Still need to figure out how to pass those through.

@glaubinix glaubinix force-pushed the composer-update-pool-security-advisories branch from 90151cb to 185a2f0 Compare June 4, 2024 11:21
@staabm
Copy link
Contributor

staabm commented Aug 23, 2024

I wonder what the benefit of this PR is over already working things like https://github.com/Roave/SecurityAdvisories

@stof
Copy link
Contributor

stof commented Aug 23, 2024

An install from lock should not filter out vulnerable packages IMO as it would totally break the usage of that lock file when new advisories are released.

And this should definitely stay opt-in (blocking all vulnerable package could harm projects using a package which has a vulnerability for a specific case that does not impact the project by forcing them to update that package before being able to do anything else)

@glaubinix
Copy link
Contributor Author

glaubinix commented Aug 23, 2024

The main benefits are:

  • support for additional sources like GitHub advisories, Drupal out of the box without having to require additional packages as long as the advisories are exposed via a Composer repository
  • option to ignore certain advisories that you either don't care about or don't affect your code base

Yes, failing composer installs should definitely be a separate config option and all options should be opt-in by default.

@Seldaek Seldaek modified the milestones: 2.8, 2.9 Oct 2, 2024
@glaubinix glaubinix force-pushed the composer-update-pool-security-advisories branch 4 times, most recently from d504581 to 123ab17 Compare October 8, 2025 09:52
@glaubinix
Copy link
Contributor Author

glaubinix commented Oct 9, 2025

Adjusted the PR to incorporate the feedback. New audit config options have been added. Removed the part that filtered out versions from the install command. Kept the feature on by default for update commands but added more info on why the update fails and instructions on how to ignore the advisories.

@glaubinix glaubinix force-pushed the composer-update-pool-security-advisories branch from 09cff65 to 10227fa Compare October 9, 2025 10:51
@glaubinix glaubinix force-pushed the composer-update-pool-security-advisories branch from 10227fa to 86e4662 Compare October 28, 2025 11:06
glaubinix
glaubinix commented Oct 28, 2025
View reviewed changes
@glaubinix glaubinix force-pushed the composer-update-pool-security-advisories branch from 86e4662 to 05ff9a8 Compare October 28, 2025 12:01
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
Seldaek
Seldaek reviewed Oct 30, 2025
View reviewed changes
@glaubinix glaubinix requested a review from Seldaek November 3, 2025 11:57
@Seldaek Seldaek merged commit 61dc617 into composer:main Nov 6, 2025
21 checks passed
@Seldaek
Copy link
Member

Seldaek commented Nov 6, 2025

Thanks!

@moltam moltam mentioned this pull request Nov 13, 2025
Open
@th0mcat th0mcat mentioned this pull request Nov 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Seldaek Seldaek Awaiting requested review from Seldaek

Assignees

No one assigned

Labels

Feature

Projects

None yet

Milestone

2.9

Development

Successfully merging this pull request may close these issues.

4 participants

@glaubinix @Seldaek @staabm @stof