Skip to content

Fix partial updates failing when a locked package has security advisories #12626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Seldaek merged 3 commits into from
Nov 19, 2025
Merged

Fix partial updates failing when a locked package has security advisories #12626

Seldaek merged 3 commits into from
Nov 19, 2025

Conversation

@Seldaek
Copy link
Member

@Seldaek Seldaek commented Nov 19, 2025

Fixes #12620

@Seldaek Seldaek added this to the 2.9 milestone Nov 19, 2025
@Seldaek Seldaek requested a review from naderman November 19, 2025 10:10
naderman
naderman reviewed Nov 19, 2025
View reviewed changes
src/Composer/DependencyResolver/SecurityAdvisoryPoolFilter.php Outdated
$packagesForAdvisories = [];
foreach ($pool->getPackages() as $package) {
if (!$package instanceof RootPackageInterface && !PlatformRepository::isPlatformPackage($package->getName())) {
if (!$package instanceof RootPackageInterface && !PlatformRepository::isPlatformPackage($package->getName()) && !$request->isLockedPackage($package)) {
Copy link
Member

@naderman naderman Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is right. Now any locked package may remain? Shouldn't the packages marked for an update and if dependencies included, its dependencies be excluded here?

Copy link
Member

@naderman naderman Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will push a test for what I mean I guess

Copy link
Member Author

@Seldaek Seldaek Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the PoolBuilder unlocks a package for update it also unlocks it in the Request, so my assumption was that this will just work, but feel free to add a test :)

Copy link
Member

@naderman naderman Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup sorry you are right, just getting mixed up with the ordering of filter and pool builder. Added a test and it passes.

@naderman naderman force-pushed the fix_partial_update_security_blocking branch from 2f6bdaf to eb3327a Compare November 19, 2025 16:57
@Seldaek Seldaek merged commit 98861c6 into composer:main Nov 19, 2025
21 checks passed
@Seldaek Seldaek deleted the fix_partial_update_security_blocking branch November 19, 2025 19:26
@hostep hostep mentioned this pull request Nov 20, 2025
Open
5 tasks
@stof stof mentioned this pull request Nov 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naderman naderman naderman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.9

Development

Successfully merging this pull request may close these issues.

Package security blocking should not affect locked packages in partial updates

2 participants

@Seldaek @naderman