From d554b62e1b578a88b796f34e6eb82b5c452cd785 Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 19:28:56 +0900
Subject: feat(resolver): honour audit.block-abandoned config

Read `config.audit.block-abandoned` from composer.json (defaults to
false) and propagate it to the resolver. When set, the pool builder
skips packages whose `abandoned` field is truthy (`true` or a non-empty
replacement string), matching `SecurityAdvisoryPoolFilter`'s behavior in
`Composer\DependencyResolver`. With no candidates left, a root require
that only matches abandoned versions fails resolution with exit 2.
---
 crates/mozart-registry/src/packagist.rs | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'crates/mozart-registry/src/packagist.rs')

diff --git a/crates/mozart-registry/src/packagist.rs b/crates/mozart-registry/src/packagist.rs
index 1d9356d..6b24589 100644
--- a/crates/mozart-registry/src/packagist.rs
+++ b/crates/mozart-registry/src/packagist.rs
@@ -135,6 +135,13 @@ pub struct PackagistVersion {
     /// `crate::resolver::packagist_to_pool_inputs`.
     #[serde(rename = "default-branch", default)]
     pub default_branch: bool,
+
+    /// Abandonment marker. Composer accepts `abandoned: true` (no replacement
+    /// suggested) or `abandoned: "<replacement-package>"`. Anything else
+    /// (absent, `false`, empty string) means the package is active. Mirrors
+    /// `Composer\Package\CompletePackage::isAbandoned`.
+    #[serde(default, deserialize_with = "deserialize_unset_as_none")]
+    pub abandoned: Option<serde_json::Value>,
 }
 
 impl PackagistVersion {
-- 
cgit v1.3.1