From d554b62e1b578a88b796f34e6eb82b5c452cd785 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 19:28:56 +0900
Subject: feat(resolver): honour audit.block-abandoned config

Read `config.audit.block-abandoned` from composer.json (defaults to
false) and propagate it to the resolver. When set, the pool builder
skips packages whose `abandoned` field is truthy (`true` or a non-empty
replacement string), matching `SecurityAdvisoryPoolFilter`'s behavior in
`Composer\DependencyResolver`. With no candidates left, a root require
that only matches abandoned versions fails resolution with exit 2.
---
 crates/mozart-registry/src/lockfile.rs | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'crates/mozart-registry/src/lockfile.rs')

diff --git a/crates/mozart-registry/src/lockfile.rs b/crates/mozart-registry/src/lockfile.rs
index 3fc8fad..5e07e9d 100644
--- a/crates/mozart-registry/src/lockfile.rs
+++ b/crates/mozart-registry/src/lockfile.rs
@@ -1092,6 +1092,7 @@ mod tests {
             extra: Some(serde_json::json!({"branch-alias": {"dev-main": "1.0.x-dev"}})),
             notification_url: Some("https://packagist.org/downloads/".to_string()),
             default_branch: false,
+            abandoned: None,
         }
     }
 
@@ -1167,6 +1168,7 @@ mod tests {
             extra: None,
             notification_url: None,
             default_branch: false,
+            abandoned: None,
         };
 
         let locked = packagist_version_to_locked_package("vendor/pkg", &pv);
@@ -1506,6 +1508,7 @@ mod tests {
             root_conflict: IndexMap::new(),
             locked_package_names: IndexSet::new(),
             locked_packages: Vec::new(),
+            block_abandoned: false,
         };
 
         let resolved = resolve(&resolve_request)
-- 
cgit v1.3.1