Skip to content

Added additional advisories to composer-audit-ignore action#101

Merged
Steveb-p merged 2 commits into
mainfrom
new-twig-advisories
May 29, 2026
Merged

Added additional advisories to composer-audit-ignore action#101
Steveb-p merged 2 commits into
mainfrom
new-twig-advisories

Conversation

@Steveb-p
Copy link
Copy Markdown
Contributor

@Steveb-p Steveb-p commented May 29, 2026

🎫 Issue N/A

Description:

In this environment (PHP 7.4), you are running Composer version 2.9.1.

• Starting with Composer 2.9, automatic blocking of insecure packages ( audit.block-insecure ) is enabled by default. This
means Composer completely excludes any package version affected by known security advisories from the pool of satisfiable
versions.
• twig/twig v3.11.3 (and all earlier versions compatible with PHP 7.4) has several open security advisories (e.g., PKSA-
fbvq-z33h-r2np , PKSA-g9zw-qxh8-pq8w , etc.). As a result, Composer filters them out and refuses to load them.
• Because the older versions are blocked, the only versions of twig/twig that Composer considers are the newer, secure
versions (such as v3.27.0 / v3.27.0-dev ).
• However, these newer versions require php >=8.1.0 , which conflicts with the PHP 7.4 version configured in your environment.
──────

2. Solutions

To allow the installation of twig/twig 3.11 (or lower) under PHP 7.4, you have three options:

Option A: Disable insecure package blocking (Recommended)

You can disable Composer's automatic blocking of insecure packages by adding the audit.block-insecure setting to your
composer.json :

    "config": {
        "allow-plugins": false,
        "audit": {
            "block-insecure": false
        }
    }

Disabling this setting allows twig/twig to resolve to v3.11.3 and successfully updates all dependencies (as verified by a
dry-run check).

Option B: Ignore specific security advisories

If you only want to bypass blocking for these specific twig/twig advisories, you can ignore them in your composer.json :

    "config": {
        "allow-plugins": false,
        "audit": {
            "ignore": [
                "PKSA-fbvq-z33h-r2np",
                "PKSA-g9zw-qxh8-pq8w",
                "PKSA-yd6k-t2gh-1m43",
                "PKSA-1tmc-rt7x-12w6",
                "PKSA-xx6c-6d96-db2w",
                "PKSA-sjvz-tbbr-vwth",
                "PKSA-h8hf-ytnd-5t9q",
                "PKSA-wwb1-81rc-pd65",
                "PKSA-kvv6-36cr-fkzb",
                "PKSA-n14z-jjjg-g8vd",
                "PKSA-3mcc-k66d-pydb",
                "PKSA-gw7n-z4yx-7xjt",
                "PKSA-dpx1-78wg-1kqs",
                "PKSA-21g2-dzjv-sky5"
            ]
        }
    }

For QA:

Documentation:

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Steveb-p Steveb-p merged commit 7fe2100 into main May 29, 2026
2 checks passed
@Steveb-p Steveb-p deleted the new-twig-advisories branch May 29, 2026 12:18
@adriendupuis adriendupuis mentioned this pull request Jun 1, 2026
Open
7 tasks
@alongosz alongosz mentioned this pull request Jun 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Steveb-p