Replies: 2 comments 3 replies
-
|
Just a note regarding the Docs: https://getcomposer.org/doc/06-config.md#block-insecure |
Beta Was this translation helpful? Give feedback.
-
|
To avoid a chicken-and-egg problem again (filtering available packages to remove versions with an advisories happens before running the solver, during the pool building, so it cannot rely on a resolution of which packages were the cause for selecting another package as done in What could be possible would be to have a configuration setting to apply the advisory filtering only on the direct dependencies (the list of direct dependencies is known, as that's what the root composer.json defines).
This is not true in general. All those ecosystem are defining constraints with semver ranges for their dependencies. This means that you don't need to wait for a framework release to get a patched version of the dependency. |
Beta Was this translation helpful? Give feedback.
-
Yes, that's why the plugin is now global and it disables the installation time check (for types bundle/addon/extension/aso) and runs audit afterwards, with framework dependency issues as not blocking only reporting.
You’re right, my statement was too broad. In many ecosystems, transitive dependencies are constrained with semver ranges, so a fixed transitive version can often be selected without waiting for a framework release. |
Beta Was this translation helpful? Give feedback.
-
|
For libraries (that don't lock their dependencies anyway, as they are dedicated to be installed as dependencies), the benefit of checking advisories in CI is narrow IMO. |
Beta Was this translation helpful? Give feedback.
-
I agree with this. I think disabling this fully for CI in libraries is probably fine and probably the best path forward.. Because indeed implementing this correctly is kind of a nightmare, and just getting vulnerabilities for direct dependencies would be easy to implement but is it really such an improvement? I think the firebase/php-jwt issue is that they didn't tag a 6.11.2 fix, so people that weren't yet on v7 were left without possibility to update. What happens usually when a CVE is published, is you have a patched version to update to, and so a full update in a CI would just work as it would pick the new version. Of course this may happen again, but it's not the default case, and I don't think it's worth optimizing for. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Context
The
block-insecurefeature in Composer 2.9 is a great step for PHP ecosystem security. However, it creates a real pain point for library and extension developers: advisories in transitive dependencies pulled in by the framework block CI — and the library developer has no way to fix them.Example from the TYPO3 ecosystem:
typo3/cms-core(it has to — it's a TYPO3 extension)typo3/cms-core→typo3/cms-backend→firebase/php-jwtfirebase/php-jwtgets advisory PKSA-y2cr-5h3j-g3ysfirebase/php-jwtbecause it's constrained bytypo3/cms-coreThis happens across every framework ecosystem: Symfony bundles, Drupal modules, Laravel packages, Shopware plugins (see #12628), WordPress plugins, etc.
What people do today
1. Disable the check entirely:
COMPOSER_NO_SECURITY_BLOCKING=1— silences all advisories, including ones in dependencies the developer controls and should fix.2. Manually maintain
config.audit.ignore: Every new advisory requires a commit to every affected repo. With dozens of extensions and frequent advisories, this becomes a constant maintenance burden. Stale entries accumulate, and nobody reviews whether they're now hiding a vulnerability in a dependency the developer does control.Both approaches share the same flaw: they treat security as all-or-nothing when the real question is who is responsible for which dependency.
The concept: Responsibility propagation
Security responsibility follows the dependency chain:
The idea is to classify every installed package by ownership using graph analysis:
typefield or explicit config)The diamond problem (package reachable via both paths) uses a conservative rule: if the developer has any dependency path to a package, it's their responsibility. This prevents false negatives.
Working proof-of-concept
I've built this as a Composer plugin:
netresearch/composer-audit-responsibility(Packagist)It hooks
PRE_COMMAND_RUN, fetches current advisory IDs from the Packagist Security Advisories API, and injects platform-only advisory IDs intoconfig.audit.ignoreat runtime. No manual maintenance needed.Tested against a real TYPO3 extension — correctly identified 49 platform-only transitive packages and auto-suppressed the
firebase/php-jwtadvisory while keeping all user-owned dependencies blocking.Known limitation
As @stof noted in #12628, there's a chicken-and-egg problem: the
block-insecurePoolBuilder check runs during dependency resolution, before a newly-required plugin can execute. This plugin works when it's already in the lock file (the typical case forcomposer installin CI), but can't help on the very firstcomposer updatethat adds it. A--no-security-blockingflag on that initial install is needed.This is one reason why native Composer support would be better than a plugin.
What could native support look like?
A possible
composer.jsonsection:{ "config": { "audit": { "responsibility": { "upstream": ["typo3/cms-*"] } } } }Or automatic detection from the package
type— Composer already knows the framework ecosystem from the type field.With native support:
What this is NOT
I'd love to hear thoughts from the maintainers on whether this concept fits Composer's direction, and whether a native
config.audit.responsibilitysection (or similar) would be worth exploring.Beta Was this translation helpful? Give feedback.
All reactions