From b7c5fb135ad87360d3504592a7e33766dbd3a849 Mon Sep 17 00:00:00 2001 From: malberts Date: Thu, 21 May 2026 09:40:15 +0200 Subject: [PATCH] CI: disable Composer audit.block-insecure to ride out advisory waves MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three new symfony/yaml advisories landed on Packagist on 2026-05-20 (CVE-2026-45304, CVE-2026-45305, CVE-2026-45133), all flagging the exact symfony/yaml version pinned by every MediaWiki branch in the matrix (5.4.23 on REL1_39 through 5.4.45 on REL1_43, etc.). Composer's `audit.block-insecure` default refuses to load the flagged version, so `composer update` (and `composer install` inside installWiki.sh) fails for every PR. Disable `audit.block-insecure` globally before any composer step. Mirrors the upstream MediaWiki backport (Phabricator T416518, commit ef90ede), which set the same flag in mediawiki/core's composer.json on REL1_43+ and master — applied at the CI level here so it also covers EOL branches (REL1_39-REL1_42) that didn't receive the backport, and the installWiki.sh `composer install` path on cache miss (via shared ~/.composer/config.json). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8fe1ea1..df5ea06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,6 +62,10 @@ jobs: extensions: mbstring, intl tools: composer + - name: Disable Composer block-insecure + working-directory: ~ + run: composer config --global audit.block-insecure false + - name: Cache MediaWiki id: cache-mediawiki uses: actions/cache@v4