Composer update failing because of security advisory

[RikvdHeijden]

Preconditions and environment

• Mage-OS Magento version: <= 2.0.0
• composer version >= 2.9.0

Steps to reproduce

Run composer update

Expected result

Mage-os is updated.

Actual result

Composer outputs the message below:

Your requirements could not be resolved to an installable set of packages.

Problem 1
- Root composer.json requires mage-os/product-community-edition 2.* -> satisfiable by mage-os/product-community-edition[2.0.0].
- mage-os/product-community-edition 2.0.0 requires components/jquery 1.11.0 -> found components/jquery[1.11.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-jvpv-pcrn-dfzc", "PKSA-jqsz-ykjr-qncb") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Additional information

This seems to be caused by the problems described in this Magento issue: magento/magento2#34562 combined with the additional security audit logic added in composer 2.9 https://blog.packagist.com/composer-2-9/. This should probably be fixed upstream, but rerunning these steps on a Magento installation didn't result in the same error for me (this might be user error) so the incentive to fix this might not be very high.

As the error implies the workaround is pretty easy adding the below configuration to my composer.json:

  "config": {
    "audit" : {
        "ignore": ["PKSA-jvpv-pcrn-dfzc", "PKSA-jqsz-ykjr-qncb", "PKSA-p8c4-fdq4-sycz", "PKSA-np3v-gp83-8hk7"]
    }
  }

got everything running again for me. But it seemed pertinent to at least document this for other people running into this same issue.

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[hostep]

Out of curiosity, have you tried this with composer 2.9.2? As it contains this fix:

Fixed partial updates failing when another package in the lock file has a known security advisory (composer/composer#12626)

Which may solve this issue?

[RikvdHeijden]

@hostep I still have this problem with composer 2.9.2.

[rhoerr]

Thanks for reporting!

[rhoerr]

I opened a PR #181 that should address this for Mage-OS without defining specific exclusions. Difficult to test and verify until it's merged and we can do a preview build.

[pjw345]

This works when using composer 2.8.9