diff options
| author | nsfisis <nsfisis@gmail.com> | 2026-05-03 22:47:33 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2026-05-03 22:47:33 +0900 |
| commit | 2b48ae7bcf857bc35de95968513750c2d6e6de7b (patch) | |
| tree | 3b76b3e3b673c5f4e8fbd20775e35d062e73b1f7 /crates/mozart/tests | |
| parent | cccdce42f6eb5c21179bf7b2fbd482a7d29c3b9d (diff) | |
| download | php-mozart-2b48ae7bcf857bc35de95968513750c2d6e6de7b.tar.gz php-mozart-2b48ae7bcf857bc35de95968513750c2d6e6de7b.tar.zst php-mozart-2b48ae7bcf857bc35de95968513750c2d6e6de7b.zip | |
fix(resolver): honor config.audit.block-insecure security-advisory filter
Mozart silently ignored the `security-advisories` block on inline
`type: package` repositories and the `config.audit.block-insecure`
audit flag, so a `composer update` succeeded with packages a Composer
run would have refused to load. Mirror Composer's
`SecurityAdvisoryPoolFilter` for the slice that feeds the pool:
- Plumb a `security-advisories` field through `RawRepository` and a
`block_insecure` flag through `ResolveRequest`, lifted off
`composer.json`'s `config.audit.block-insecure`.
- Collect every advisory's `affectedVersions` constraint at resolve
time. When `block_insecure` is set and an inline package's
normalized version satisfies the constraint, drop it from the pool
before solving — root requires with no unaffected candidate then
fail with the standard "could not be resolved" error.
Diffstat (limited to 'crates/mozart/tests')
| -rw-r--r-- | crates/mozart/tests/installer.rs | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/crates/mozart/tests/installer.rs b/crates/mozart/tests/installer.rs index f304b72..198dd9f 100644 --- a/crates/mozart/tests/installer.rs +++ b/crates/mozart/tests/installer.rs @@ -294,10 +294,7 @@ installer_fixture!(partial_update_keeps_older_dep_if_still_required); installer_fixture!(partial_update_keeps_older_dep_if_still_required_with_provide); installer_fixture!(partial_update_loads_root_aliases_for_path_repos, ignore); installer_fixture!(partial_update_security_advisory_matching_locked_dep); -installer_fixture!( - partial_update_security_advisory_matching_locked_dep_with_dependencies, - ignore -); +installer_fixture!(partial_update_security_advisory_matching_locked_dep_with_dependencies); installer_fixture!(partial_update_with_dependencies_provide); installer_fixture!(partial_update_with_dependencies_replace); installer_fixture!(partial_update_with_deps_warns_root); @@ -402,11 +399,8 @@ installer_fixture!(update_reference); installer_fixture!(update_reference_picks_latest); installer_fixture!(update_removes_unused_locked_dep); installer_fixture!(update_requiring_decision_reverts_and_learning_positive_literals); -installer_fixture!(update_security_advisory_matching_direct_dependency, ignore); -installer_fixture!( - update_security_advisory_matching_indirect_dependency, - ignore -); +installer_fixture!(update_security_advisory_matching_direct_dependency); +installer_fixture!(update_security_advisory_matching_indirect_dependency); installer_fixture!(update_syncs_outdated); installer_fixture!(update_to_empty_from_blank); installer_fixture!(update_to_empty_from_locked); |