Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add --no-audit to default options used ? #232

Open
jrfnl opened this issue Aug 20, 2022 · 1 comment
Open

Add --no-audit to default options used ? #232

jrfnl opened this issue Aug 20, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@jrfnl
Copy link
Contributor

jrfnl commented Aug 20, 2022

Prevent audits breaking builds

Composer 2.4.0 introduced a new "Audit" feature, which will run automatically on any composer update, require, remove and create-project.

This audit feature may break builds when security vulnerabilities are found.

The audit feature can be disabled using the --no-audit option - or as of Composer 2.4.1, using the new COMPOSER_NO_AUDIT env variable.

As composer-install already automatically applies typical options like --no-interaction, I was wondering if the --no-audit option should be added to that list of options which are automatically applied.

What do you think ?

Refs:

Alternatives

Rely on people adding the --no-audit flag manually to the composer-options in all their CI scripts.

@jrfnl jrfnl added the enhancement New feature or request label Aug 20, 2022
@jrfnl
Copy link
Contributor Author

jrfnl commented Aug 20, 2022

Additional info from @Seldaek as posted in shivammathur/setup-php#635 (comment):

I am not sure what the best default is here tbh. Just to be clear though:

During updates the audit is will simply output some warning but not fail the build if there is a known vulnerability found.

If you simply run install no audit is done by default.

If you want to fail the build in case vulns are found, then you kinda need to explicitly call the audit command, in which case disabling the auto-audit on update may make sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant