[UPMERGE] 1.0 -> 1.1 #412
Merged
[UPMERGE] 1.0 -> 1.1 #412
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add comprehensive CVE ignore list to composer.json (API Platform, Twig, Symfony) - Create AUDIT-IGNORE.md with detailed CVE documentation - Replace symfony security:check with composer audit --locked --abandoned=ignore The symfony security:check command doesn't respect composer.json ignore configuration, causing CI failures despite CVE advisories being intentionally ignored. Switching to composer audit ensures the ignore list is properly respected. Following patterns from: - Sylius/Sylius#18553 - Sylius/Sylius#18549 - Sylius/AdyenPlugin#172
| Q | A |-----------------|----- | Branch? | 1.0 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Related tickets | | License | MIT ## Summary Fix CI build by adding CVE filtering to composer audit ignore list and updating security check workflow. ## Changes 1. **composer.json** - Added CVE advisories to `config.audit.ignore`: - `PKSA-gs8r-6kz6-pp56` (api-platform/core CVE-2025-31485) - `PKSA-gnn4-pxdg-q76m` (api-platform/core CVE-2025-31481) - `PKSA-yhcn-xrg3-68b1` (twig/twig CVE-2024-45411) - `PKSA-2wrf-1xmk-1pky` (twig/twig CVE-2024-51755) - `PKSA-365x-2zjk-pt47` (symfony/http-foundation CVE-2025-64500) 2. **AUDIT-IGNORE.md** - Created documentation file explaining why each CVE is ignored (following pattern from Sylius/Sylius#18553) 3. **build.yaml** - Changed security check command from `symfony security:check` to `composer audit --locked --abandoned=ignore` ## Why switch from `symfony security:check` to `composer audit`? **Official Symfony documentation recommends `composer audit` for CI:** > "In continuous integration services you can check security vulnerabilities by running the `composer audit` command." > > Source: https://symfony.com/doc/current/setup.html#checking-security-vulnerabilities **Key advantages:** - ✅ `composer audit` respects ignore configuration in `composer.json` - ✅ Built into Composer 2.4+ - no need to install Symfony CLI in CI - ✅ Allows selective ignoring of specific CVEs with justification - ❌ `symfony security:check` has NO support for ignore configuration - ❌ Would require `continue-on-error: true` (ignores ALL errors, not just known CVEs) Following the same approach as: - Sylius/Sylius#18553 - Sylius/Sylius#18549 - Sylius/AdyenPlugin#172
Rafikooo
approved these changes
Nov 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR has been generated automatically.
For more details see upmerge_pr.yaml.
Remember! The upmerge should always be merged with using
Merge pull requestbutton.In case of conflicts, please resolve them manually with usign the following commands:
If you use other name for the upstream remote, please replace
upstreamwith the name of your remote pointing to theSylius/InvoicingPluginrepository.Once the conflicts are resolved, please run
git merge --continueand push the changes to this PR.