composer icon indicating copy to clipboard operation
composer copied to clipboard
verified publisher icon composer

Link to Security Information Page when CVE found

Open shyim opened this issue 1 month ago • 2 comments

Is your feature request related to a problem? Please describe.

Right now as an user you get an message like this when you want to install an package with CVE:

    - Root composer.json requires shopware/core 6.5.8.8 (exact version match: 6.5.8.8), found shopware/core[v6.5.8.8] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-w3qy-s9h7-2hqr", "PKSA-b824-t6kf-bqqz", "PKSA-6wp3-462p-vyty", "PKSA-h5dj-jyqc-4fjr", "PKSA-kypv-cx5n-qkc8", "PKSA-v415-g75g-bqsy", "PKSA-8vfm-96b7-t9nt", "PKSA-m54b-2v2z-x1bs", "PKSA-frt7-rv6d-9v53", "PKSA-dbxn-psgm-2qmr", "PKSA-k472-zz4q-rd5r", "PKSA-kt1g-n1g2-hzb4", "PKSA-wp2c-7yp8-5fvs", "PKSA-4spx-rq41-wk8h", "PKSA-6stq-czfs-1nvv") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

We would like to give users more information what they can do as an vendor. Describe the solution you'd like

Allow linking to an Security Page in the vulnerable package:

{
  "support": {
      "security-info": "foo.com"
   }
}

(the key "security" is assigned for "vulnerability disclosure policy https://getcomposer.org/doc/04-schema.md#support)

And that page would be shown to the user too in the message maybe like:

To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
For more information about security vulnerabilities for this package visit: foo.com

Describe alternatives you've considered Writing a Composer Plugin to show help information

Additional context We have an additional composer package, which patches CVE. We would like to inform people about this

shyim avatar Nov 24 '25 13:11 shyim

@shyim I don't get the whole thing about patching CVEs with a package.. why not tag patch releases with the fix so people can simply update? This seems very convoluted.

Seldaek avatar Dec 08 '25 09:12 Seldaek

Somewhat unrelated, but it made me realize we could link to advisory pages at least for packagist ones - https://github.com/composer/composer/pull/12665 now does that:

Image

Anyway as for the issue here I am really not sure this makes sense.

Seldaek avatar Dec 08 '25 12:12 Seldaek