From 2b48ae7bcf857bc35de95968513750c2d6e6de7b Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 22:47:33 +0900
Subject: fix(resolver): honor config.audit.block-insecure security-advisory
 filter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mozart silently ignored the `security-advisories` block on inline
`type: package` repositories and the `config.audit.block-insecure`
audit flag, so a `composer update` succeeded with packages a Composer
run would have refused to load. Mirror Composer's
`SecurityAdvisoryPoolFilter` for the slice that feeds the pool:

- Plumb a `security-advisories` field through `RawRepository` and a
  `block_insecure` flag through `ResolveRequest`, lifted off
  `composer.json`'s `config.audit.block-insecure`.
- Collect every advisory's `affectedVersions` constraint at resolve
  time. When `block_insecure` is set and an inline package's
  normalized version satisfies the constraint, drop it from the pool
  before solving — root requires with no unaffected candidate then
  fail with the standard "could not be resolved" error.
---
 crates/mozart-core/src/package.rs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'crates/mozart-core/src/package.rs')

diff --git a/crates/mozart-core/src/package.rs b/crates/mozart-core/src/package.rs
index 0a5c0fb..18714ec 100644
--- a/crates/mozart-core/src/package.rs
+++ b/crates/mozart-core/src/package.rs
@@ -566,6 +566,19 @@ pub struct RawRepository {
     /// `FilterRepository::loadPackages`'s `namesFound = []` reset.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub canonical: Option<bool>,
+
+    /// Inline `security-advisories` block on a repository entry. Maps package
+    /// name → list of advisory objects whose `affectedVersions` constraint
+    /// (and `advisoryId`) is read by the resolver when
+    /// `config.audit.block-insecure` is set: matching versions are filtered
+    /// out of the pool before solving, mirroring Composer's
+    /// `SecurityAdvisoryPoolFilter`.
+    #[serde(
+        rename = "security-advisories",
+        default,
+        skip_serializing_if = "Option::is_none"
+    )]
+    pub security_advisories: Option<serde_json::Value>,
 }
 
 /// Default root-package name when `composer.json` omits the `name` field.
@@ -677,6 +690,7 @@ mod tests {
             only: None,
             exclude: None,
             canonical: None,
+            security_advisories: None,
         }];
 
         let mut psr4 = BTreeMap::new();
-- 
cgit v1.3.1