mageos-magento2 icon indicating copy to clipboard operation
mageos-magento2 copied to clipboard

Published 20 hours ago verified publisher icon mage-os

Composer update failing because of security advisory

Open RikvdHeijden opened this issue 1 week ago • 2 comments

Preconditions and environment

  • Mage-OS Magento version: <= 2.0.0
  • composer version >= 2.9.0

Steps to reproduce

Run composer update

Expected result

Mage-os is updated.

Actual result

Composer outputs the message below:

Your requirements could not be resolved to an installable set of packages.

Problem 1 - Root composer.json requires mage-os/product-community-edition 2.* -> satisfiable by mage-os/product-community-edition[2.0.0]. - mage-os/product-community-edition 2.0.0 requires components/jquery 1.11.0 -> found components/jquery[1.11.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-jvpv-pcrn-dfzc", "PKSA-jqsz-ykjr-qncb") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Additional information

This seems to be caused by the problems described in this Magento issue: https://github.com/magento/magento2/issues/34562 combined with the additional security audit logic added in composer 2.9 https://blog.packagist.com/composer-2-9/. This should probably be fixed upstream, but rerunning these steps on a Magento installation didn't result in the same error for me (this might be user error) so the incentive to fix this might not be very high.

As the error implies the workaround is pretty easy adding the below configuration to my composer.json:

  "config": {
    "audit" : {
        "ignore": ["PKSA-jvpv-pcrn-dfzc", "PKSA-jqsz-ykjr-qncb", "PKSA-p8c4-fdq4-sycz", "PKSA-np3v-gp83-8hk7"]
    }
  }

got everything running again for me. But it seemed pertinent to at least document this for other people running into this same issue.

Release note

No response

Triage and priority

  • [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • [x] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • [x] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

RikvdHeijden avatar Nov 20 '25 09:11 RikvdHeijden

Out of curiosity, have you tried this with composer 2.9.2? As it contains this fix:

Fixed partial updates failing when another package in the lock file has a known security advisory (https://github.com/composer/composer/pull/12626)

Which may solve this issue?

hostep avatar Nov 20 '25 12:11 hostep

@hostep I still have this problem with composer 2.9.2.

RikvdHeijden avatar Nov 20 '25 12:11 RikvdHeijden

Thanks for reporting!

rhoerr avatar Nov 24 '25 18:11 rhoerr