Maniphest T416518

Disable Composer 2.9 functionality to randomly block existing configurations from working
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	taavi
	Wed, Feb 4, 7:58 PM

Tags

Referenced Files

None

Subscribers

Lucas_Werkmeister_WMDE

SomeRandomDeveloper

Description

Composer's new "block known-vulnerable dependencies" functionality has broken our CI pipelines and release artifacts several times since it was added quite recently:

T411006: Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt
T415723: CI blocked from installing phpunit by CVE-2026-24765
T416292: Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v (the same root-cause as T415723 above, but filed from a third-party perspective)
T415834: CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
T417722: php-jwt contains weak encryption

We already have processes to notice published vulnerabilities in our dependencies (namely, LibUp). So I propose we turn the composer functionality off.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Disable Composer audit.block-insecure option	mediawiki/core	master	+3 -0

Customize query in gerrit

Related Objects

Mentioned In: T415723: CI blocked from installing phpunit by CVE-2026-24765
T411006: Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt
Mentioned Here: T417722: php-jwt contains weak encryption
T411006: Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt
T415723: CI blocked from installing phpunit by CVE-2026-24765
T415834: CVE-2026-24739: Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
T416292: Building MediaWiki 1.43.6 fails due to phpunit security advisory PKSA-z3gr-8qht-p93v

Event Timeline

taavi created this task.Wed, Feb 4, 7:58 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Feb 4, 7:58 PM

Change #1236816 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/core@master] Disable Composer audit.block-insecure option

https://gerrit.wikimedia.org/r/1236816

gerritbot added a project: Patch-For-Review.Wed, Feb 4, 7:59 PM

taavi mentioned this in T411006: Composer 2.9 blocks LibUp js-yaml upgrade on release branch due to vulnerability in firebase/php-jwt.Wed, Feb 4, 7:59 PM

A_smart_kitten subscribed.Wed, Feb 4, 8:12 PM

SomeRandomDeveloper subscribed.Wed, Feb 4, 8:36 PM

RhinosF1 subscribed.Wed, Feb 4, 8:59 PM

Pskyechology subscribed.Wed, Feb 4, 9:05 PM

Reedy mentioned this in T415723: CI blocked from installing phpunit by CVE-2026-24765.Wed, Feb 11, 7:53 PM

A_smart_kitten updated the task description. (Show Details)Wed, Feb 18, 1:19 PM

A_smart_kitten added a project: Composer.

Lucas_Werkmeister_WMDE subscribed.Wed, Feb 18, 2:36 PM