Add AUDIT-IGNORE.md file with CVE info#172
Merged
Merged
Conversation
AUDIT-IGNORE.md file with CVE info
Rafikooo
approved these changes
Nov 17, 2025
Rafikooo
added a commit
to michalkaczmarek-bitbag/InvoicingPlugin
that referenced
this pull request
Nov 20, 2025
- Add comprehensive CVE ignore list to composer.json (API Platform, Twig, Symfony) - Create AUDIT-IGNORE.md with detailed CVE documentation - Replace symfony security:check with composer audit --locked --abandoned=ignore The symfony security:check command doesn't respect composer.json ignore configuration, causing CI failures despite CVE advisories being intentionally ignored. Switching to composer audit ensures the ignore list is properly respected. Following patterns from: - Sylius/Sylius#18553 - Sylius/Sylius#18549 - Sylius/AdyenPlugin#172
Rafikooo
added a commit
to michalkaczmarek-bitbag/InvoicingPlugin
that referenced
this pull request
Nov 20, 2025
- Add comprehensive CVE ignore list to composer.json (API Platform, Twig, Symfony) - Create AUDIT-IGNORE.md with detailed CVE documentation - Replace symfony security:check with composer audit --locked --abandoned=ignore The symfony security:check command doesn't respect composer.json ignore configuration, causing CI failures despite CVE advisories being intentionally ignored. Switching to composer audit ensures the ignore list is properly respected. Following patterns from: - Sylius/Sylius#18553 - Sylius/Sylius#18549 - Sylius/AdyenPlugin#172
GSadee
added a commit
to Sylius/InvoicingPlugin
that referenced
this pull request
Nov 20, 2025
| Q | A |-----------------|----- | Branch? | 1.0 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Related tickets | | License | MIT ## Summary Fix CI build by adding CVE filtering to composer audit ignore list and updating security check workflow. ## Changes 1. **composer.json** - Added CVE advisories to `config.audit.ignore`: - `PKSA-gs8r-6kz6-pp56` (api-platform/core CVE-2025-31485) - `PKSA-gnn4-pxdg-q76m` (api-platform/core CVE-2025-31481) - `PKSA-yhcn-xrg3-68b1` (twig/twig CVE-2024-45411) - `PKSA-2wrf-1xmk-1pky` (twig/twig CVE-2024-51755) - `PKSA-365x-2zjk-pt47` (symfony/http-foundation CVE-2025-64500) 2. **AUDIT-IGNORE.md** - Created documentation file explaining why each CVE is ignored (following pattern from Sylius/Sylius#18553) 3. **build.yaml** - Changed security check command from `symfony security:check` to `composer audit --locked --abandoned=ignore` ## Why switch from `symfony security:check` to `composer audit`? **Official Symfony documentation recommends `composer audit` for CI:** > "In continuous integration services you can check security vulnerabilities by running the `composer audit` command." > > Source: https://symfony.com/doc/current/setup.html#checking-security-vulnerabilities **Key advantages:** - ✅ `composer audit` respects ignore configuration in `composer.json` - ✅ Built into Composer 2.4+ - no need to install Symfony CLI in CI - ✅ Allows selective ignoring of specific CVEs with justification - ❌ `symfony security:check` has NO support for ignore configuration - ❌ Would require `continue-on-error: true` (ignores ALL errors, not just known CVEs) Following the same approach as: - Sylius/Sylius#18553 - Sylius/Sylius#18549 - Sylius/AdyenPlugin#172
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add info about CVE ignored by composer.