From 2b48ae7bcf857bc35de95968513750c2d6e6de7b Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Sun, 3 May 2026 22:47:33 +0900
Subject: fix(resolver): honor config.audit.block-insecure security-advisory
 filter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mozart silently ignored the `security-advisories` block on inline
`type: package` repositories and the `config.audit.block-insecure`
audit flag, so a `composer update` succeeded with packages a Composer
run would have refused to load. Mirror Composer's
`SecurityAdvisoryPoolFilter` for the slice that feeds the pool:

- Plumb a `security-advisories` field through `RawRepository` and a
  `block_insecure` flag through `ResolveRequest`, lifted off
  `composer.json`'s `config.audit.block-insecure`.
- Collect every advisory's `affectedVersions` constraint at resolve
  time. When `block_insecure` is set and an inline package's
  normalized version satisfies the constraint, drop it from the pool
  before solving — root requires with no unaffected candidate then
  fail with the standard "could not be resolved" error.
---
 crates/mozart/tests/installer.rs | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

(limited to 'crates/mozart/tests')

diff --git a/crates/mozart/tests/installer.rs b/crates/mozart/tests/installer.rs
index f304b72..198dd9f 100644
--- a/crates/mozart/tests/installer.rs
+++ b/crates/mozart/tests/installer.rs
@@ -294,10 +294,7 @@ installer_fixture!(partial_update_keeps_older_dep_if_still_required);
 installer_fixture!(partial_update_keeps_older_dep_if_still_required_with_provide);
 installer_fixture!(partial_update_loads_root_aliases_for_path_repos, ignore);
 installer_fixture!(partial_update_security_advisory_matching_locked_dep);
-installer_fixture!(
-    partial_update_security_advisory_matching_locked_dep_with_dependencies,
-    ignore
-);
+installer_fixture!(partial_update_security_advisory_matching_locked_dep_with_dependencies);
 installer_fixture!(partial_update_with_dependencies_provide);
 installer_fixture!(partial_update_with_dependencies_replace);
 installer_fixture!(partial_update_with_deps_warns_root);
@@ -402,11 +399,8 @@ installer_fixture!(update_reference);
 installer_fixture!(update_reference_picks_latest);
 installer_fixture!(update_removes_unused_locked_dep);
 installer_fixture!(update_requiring_decision_reverts_and_learning_positive_literals);
-installer_fixture!(update_security_advisory_matching_direct_dependency, ignore);
-installer_fixture!(
-    update_security_advisory_matching_indirect_dependency,
-    ignore
-);
+installer_fixture!(update_security_advisory_matching_direct_dependency);
+installer_fixture!(update_security_advisory_matching_indirect_dependency);
 installer_fixture!(update_syncs_outdated);
 installer_fixture!(update_to_empty_from_blank);
 installer_fixture!(update_to_empty_from_locked);
-- 
cgit v1.3.1