You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Composer 2.4.0 introduced a new "Audit" feature, which will run automatically on any composer update, require, remove and create-project.
This audit feature may break builds when security vulnerabilities are found.
The audit feature can be disabled using the --no-audit option - or as of Composer 2.4.1, using the new COMPOSER_NO_AUDIT env variable.
As composer-installalready automatically applies typical options like --no-interaction, I was wondering if the --no-audit option should be added to that list of options which are automatically applied.
I am not sure what the best default is here tbh. Just to be clear though:
During updates the audit is will simply output some warning but not fail the build if there is a known vulnerability found.
If you simply run install no audit is done by default.
If you want to fail the build in case vulns are found, then you kinda need to explicitly call the audit command, in which case disabling the auto-audit on update may make sense.
Prevent audits breaking builds
Composer 2.4.0 introduced a new "Audit" feature, which will run automatically on any
composer update
,require
,remove
andcreate-project
.This audit feature may break builds when security vulnerabilities are found.
The audit feature can be disabled using the
--no-audit
option - or as of Composer 2.4.1, using the newCOMPOSER_NO_AUDIT
env variable.As
composer-install
already automatically applies typical options like--no-interaction
, I was wondering if the--no-audit
option should be added to that list of options which are automatically applied.What do you think ?
Refs:
--no-audit
. composer/composer#10998setup-php
Alternatives
Rely on people adding the
--no-audit
flag manually to thecomposer-options
in all their CI scripts.The text was updated successfully, but these errors were encountered: