Skip to content

Fix composer advisory install-block breaking 7.3/7.4 mess-detector & phpstan builds#168

Open
kapilpandya22 wants to merge 1 commit into
extdn:masterfrom
kapilpandya22:master
Open

Fix composer advisory install-block breaking 7.3/7.4 mess-detector & phpstan builds#168
kapilpandya22 wants to merge 1 commit into
extdn:masterfrom
kapilpandya22:master

Conversation

@kapilpandya22

Copy link
Copy Markdown
Contributor

Problem

Build and deploy fails for the PHP 7.3 (and 7.4) magento-mess-detector
and magento-phpstan images at the composer install --prefer-dist step:

  • magento/product-community-edition requires guzzlehttp/guzzle ^6.3.3,
    but all 6.x versions are flagged by security advisories and get dropped.
  • magento/magento2-functional-testing-framework ^3.0 requires
    spomky-labs/otphp ^10.0, which is likewise dropped; the resolver then
    falls through to newer MFTF versions that require PHP > 7.4.

Root cause: Composer 2.7+ enables policy.advisories.block by default,
which refuses to install advisory-affected packages. The audit.ignore
config already present only applies to composer audit, not to install.

Fix

Add RUN composer config policy.advisories.block false before
composer install in the four affected Dockerfiles:

Root cause: Composer 2.7+ enables policy.advisories.block by default,
which refuses to install advisory-affected packages. The audit.ignore
config already present only applies to composer audit, not to install.

Fix

Add RUN composer config policy.advisories.block false before
composer install in the four affected Dockerfiles:

  • magento-mess-detector/Dockerfile:7.3
  • magento-mess-detector/Dockerfile:7.4
  • magento-phpstan/Dockerfile:7.3
  • magento-phpstan/Dockerfile:7.4

These are CI static-analysis images built against a pinned, legacy Magento
tree, so install-time advisory blocking adds no value here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant