From 2b48ae7bcf857bc35de95968513750c2d6e6de7b Mon Sep 17 00:00:00 2001 From: nsfisis Date: Sun, 3 May 2026 22:47:33 +0900 Subject: fix(resolver): honor config.audit.block-insecure security-advisory filter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mozart silently ignored the `security-advisories` block on inline `type: package` repositories and the `config.audit.block-insecure` audit flag, so a `composer update` succeeded with packages a Composer run would have refused to load. Mirror Composer's `SecurityAdvisoryPoolFilter` for the slice that feeds the pool: - Plumb a `security-advisories` field through `RawRepository` and a `block_insecure` flag through `ResolveRequest`, lifted off `composer.json`'s `config.audit.block-insecure`. - Collect every advisory's `affectedVersions` constraint at resolve time. When `block_insecure` is set and an inline package's normalized version satisfies the constraint, drop it from the pool before solving — root requires with no unaffected candidate then fail with the standard "could not be resolved" error. --- crates/mozart/src/commands/create_project.rs | 1 + 1 file changed, 1 insertion(+) (limited to 'crates/mozart/src/commands/create_project.rs') diff --git a/crates/mozart/src/commands/create_project.rs b/crates/mozart/src/commands/create_project.rs index a7964ae..61cb886 100644 --- a/crates/mozart/src/commands/create_project.rs +++ b/crates/mozart/src/commands/create_project.rs @@ -445,6 +445,7 @@ pub async fn execute( block_abandoned: false, root_branch_alias: None, preferred_versions: indexmap::IndexMap::new(), + block_insecure: false, }; console.info("Resolving dependencies..."); -- cgit v1.3.1