Skip to content

Document Composer 2.9's security constraints #9911

Open
Open
Document Composer 2.9's security constraints#9911
Labels
Topic: Code StructureRelated to Upstreams and other code structure detailsType: New ContentRequest for or PR containing new content to existing page
@stevector

Description

@stevector
stevector
opened on Mar 5, 2026

As of Composer 2.9

Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating to vulnerable package versions. You can configure this behavior via the new audit.block-insecure config settings if needed.

We should update some section of our documentation to draw attention to the workaround for those who need it:

this can be added to Composer.json.

"config": {
  "audit": {
    "block-insecure": false
  }

This question was tracked internally as https://getpantheon.atlassian.net/browse/BUGS-10681

Metadata

Metadata

Assignees

No one assigned

    Labels

    Topic: Code StructureRelated to Upstreams and other code structure detailsType: New ContentRequest for or PR containing new content to existing page

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions