Problem/Motivation

The upcoming composer release is going to cause problems for our test suite - see https://git.drupalcode.org/issue/drupal-3523596/-/jobs/7271837 and https://git.drupalcode.org/issue/drupal-3523596/-/jobs/7271767

  Problem 1                                                              
       ├     - Root composer.json requires drupal/core 9.8.0 (exact version match: 9.8.0 or 9.8.0.0), found drupal/core[9.8.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("SA-CORE-2024-001", "SA-CORE-2024-003", "SA-CORE-2024-004", "SA-CORE-2024-006", "SA-CORE-2024-007", "SA-CORE-2024-008", "SA-CORE-2025-001", "SA-CORE-2025-002", "SA-CORE-2025-003", "SA-CORE-2025-004", "SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Looks like a new security feature is coming.

Steps to reproduce

Run \Drupal\Tests\package_manager\Kernel\PhpTufValidatorTest or some of the build tests

Proposed resolution

TBD

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#55 3557585-nr-bot_rnpxae4b.txt91 bytesneeds-review-queue-bot

Issue fork drupal-3557585

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

alexpott created an issue. See original summary.

cilefen’s picture

cilefen commented

It is https://github.com/composer/composer/pull/11956.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Title: Tests using Composer (version 2.9.0-RC1) are failing » Update to Composer 2.9.0
Component: base system » composer
Priority: Normal » Critical

Given 2.9.0 is now out let's use this issue to do the upgrade in 11.x and fix the tests at the same time.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Active » Needs work

longwave opened merge request !13828

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review

PhpTufValidatorTest passed locally, let's see what happens to everything else.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

@alexpott can you confirm the problem is gone for you on 2.9.0?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

There's nothing in https://github.com/composer/composer/compare/2.9.0-RC1...2.9.0 that shows why this would have changed. I suspect that you did not actually upgrade the composer on your system and I suspect that our tests are using the system composer and not the composer we ship with.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Needs review » Needs work

Yep if I do composer self=update and run ./vendor/bin/phpunit core/modules/package_manager/tests/src/Kernel/PhpTufValidatorTest.php it fails.

So we need to fix both the test and the test infra where we are using the globally installed composer.

andypost’s picture

andypost
he/him
Primary language Russian
commented

Building CI PHP 8.4 dev image with composer 2.9 https://git.drupalcode.org/project/drupalci_environments/-/jobs/7277506

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

So locally

    // If we're looking for Composer, use the project's local copy if available.
    elseif ($name === 'composer') {
      $path = $this->getLocalComposerPath();

      if ($path && file_exists($path)) {
        return $path;
      }

in \Drupal\package_manager\ExecutableFinder so not result in using the local composer... because \Drupal\Composer\Plugin\VendorHardening\Config::$defaultConfig removes the composer bin by default.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

@andypost ideally we'd use the version core is shipping with once composer has done the initial install...

andypost opened merge request !13830

andypost changed the visibility of the branch 3557585-composer-2.9 to hidden.

andypost’s picture

andypost
he/him
Primary language Russian
commented

Created separate MR to try updated CI image with real composer 2.9.1

docker run --rm drupalci/php-8.4-ubuntu-apache:dev composer -V
Composer version 2.9.1 2025-11-13 16:10:38
PHP version 8.4.14 (/usr/local/bin/php)
Run the "diagnose" command to get more detailed diagnostics output.

andypost opened merge request !13831

andypost changed the visibility of the branch 3557585-composer-2.9 to hidden.

andypost changed the visibility of the branch 3557585-composer-2-9 to hidden.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

I can reproduce locally after upgrading Composer inside ddev.

I tried adding 'audit.block-insecure' => FALSE, to setUp() in the test but I get

  Setting audit.block-insecure does not exist or is not supported by this command

Might be worth waiting for https://github.com/composer/composer/issues/12607, if enabling COMPOSER_NO_AUDIT is respected then perhaps we do that for the purposes of the test.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

Also opened https://github.com/composer/composer/issues/12611 as I don't see why composer config audit.block-insecure false isn't allowed if we are going to go down that route.

catch’s picture

catch
he/him
Primary language English
commented
Title: Update to Composer 2.9.0 » Update to Composer 2.9.1
andypost’s picture

andypost
he/him
Primary language Russian
commented

https://github.com/composer/composer/releases/tag/2.9.2 is tagged

building 8.4-dev image for it

andypost’s picture

andypost
he/him
Primary language Russian
commented
Title: Update to Composer 2.9.1 » Update to Composer 2.9.2
longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review

PhpTufValidatorTest passes locally now we can reconfigure Composer to allow insecure packages.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

LGTM

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work

I agree with @andypost we shouldn't be changing the removal of the composer bin file here. I think we should open a follow-up issue work out how we can can this for tests.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review

Reverted the vendor hardening change, although I think if the image is on Composer 2.9.1 or lower then the audit.block-insecure part will fail now...

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs review » Needs work

Yep:

In ConfigCommand.php line 900:
                                                                               
  Setting audit.block-insecure does not exist or is not supported by this com  
  mand

longwave opened merge request !13950

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Appears to need rebase.

godotislate’s picture

godotislate
he/him
commented

Re #19:

Might be worth waiting for https://github.com/composer/composer/issues/12607, if enabling COMPOSER_NO_AUDIT is respected then perhaps we do that for the purposes of the test.

Instead of COMPOSER_NO_AUDIT, they introduced a new env COMPOSER_NO_SECURITY_BLOCKING or flag --no-security-blocking in Composer 2.9.2. Maybe using that would work?

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs work » Needs review

https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking looks needs to be added to ore/tests/Drupal/BuildTests/Composer/Component/ComponentsTaggedReleaseTest.php as test failed https://git.drupalcode.org/issue/drupal-3557585/-/jobs/7728580

godotislate’s picture

godotislate
he/him
commented
Status: Needs review » Reviewed & tested by the community

Tests are all passing on composer 2.9.2, so lgtm.

  • catch committed 7c692384 on 11.x 
    fix: #3557585 Update to Composer 2.9.2

By: alexpott
By: cilefen
By:...

  • catch committed ae0bb9c5 on 11.3.x 
    fix: #3557585 Update to Composer 2.9.2

By: alexpott
By: cilefen
By:...
catch’s picture

catch
he/him
Primary language English
commented
Version: 11.x-dev » 11.2.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Committed/pushed to 11.x and cherry-picked to 11.3.x, thanks!

Do we need to backport this more? I'm guessing yes so moving to 11.2 for now.

catch closed merge request !13828

andypost’s picture

andypost
he/him
Primary language Russian
commented

I think now I can upgrade composer in all (8.1-8.5) CI images and see later if older branches will start to fail

andypost’s picture

andypost
he/him
Primary language Russian
commented

Upgrade for composer and PHP is went in

godotislate’s picture

godotislate
he/him
commented

Do we need to backport this more?

Yeah, looks like 10.6.x and 10.5.x are failing as well.
https://git.drupalcode.org/project/drupal/-/jobs/7740931
https://git.drupalcode.org/project/drupal/-/jobs/7741745

dww made their first commit to this issue’s fork.

dww opened merge request !14168

dww’s picture

dww
we/he/they
commented
Version: 11.2.x-dev » 10.6.x-dev
Status: Patch (to be ported) » Needs review

Opened an MR for 10.6.x: https://git.drupalcode.org/project/drupal/-/merge_requests/14168
core/modules/package_manager/tests/src/Kernel/PhpTufValidatorTest.php only exists in 11.x.
But the fix for core/tests/Drupal/BuildTests/Composer/Component/ComponentsTaggedReleaseTest.php applied cleanly.
Let's see what the bot thinks at https://git.drupalcode.org/issue/drupal-3557585/-/pipelines/694106

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Reviewed & tested by the community

Thanks good idea

dww’s picture

dww
we/he/they
commented

Hrm. The default pipeline passed, so I didn't break ComponentsTaggedReleaseTest. But it looks like the daily 10.6.x job only fails in here with the updated dependencies thing, since we're pinned to an earlier composer (I think). So I tried running the updated deps job manually. However, it fails with phpstan complaining about deprecated stuff from Twig and OpenTelemetry. It doesn't seem there's any way to move forward and have the actual tests run in this case. Seems fairly expected that phpstan will hit deprecation errors with updated dependencies. Can we change the phpstan job inside the updated deps part of the pipeline to allow failure and only warn on problems but not halt the entire pipeline?

dww’s picture

dww
we/he/they
commented

Okay, here's some progress to report. Reading through the core scheduled pipelines, looks like 10.6.x daily job is consistently failing with the PHP 8.4 configuration:

https://git.drupalcode.org/project/drupal/-/pipelines/693649
- PHP 8.4: https://git.drupalcode.org/project/drupal/-/pipelines/693679
- Build failure: https://git.drupalcode.org/project/drupal/-/jobs/7767121

So, I launched that same pipeline here:
https://git.drupalcode.org/issue/drupal-3557585/-/pipelines/694128
And the "Build" test is now passing:
https://git.drupalcode.org/issue/drupal-3557585/-/jobs/7773059

Therefore, even without resolving the "updated deps" vs. phpstan woes I mentioned in #46, I think it's safe to call this RTBC and commit the backport...

xjm’s picture

xjm
she/her
Primary language English
commented
Status: Reviewed & tested by the community » Needs work

Maintenance minor releases do receive dependency updates, so 10.6 should also actually update to 2.9.2 itself. This means it presumably also needs the hunk that the 11.x and 11.3 MRs had?

Also, it looks like things are being done out of order here -- this was moved to 10.6 before 11.2 was addressed, which is going to create confusion even though yes 10.6 is bugfix while 11.2 is security-only. Since composer/composer is still just a dev dependency, there is a strong case to be made that updating it for 11.2 (and 10.5) is not an issue and we should commit it there as well.

So, can we get 10.6 to update the dep, and can we get MRs for 11.2 and 10.5? The 11.2 MR should be RTBCed and committed first so that committers don't get totally confused.

Thanks!

xjm’s picture

xjm
she/her
Primary language English
commented
Title: Update to Composer 2.9.2 » [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9.2
Version: 10.6.x-dev » 11.2.x-dev

godotislate opened merge request !14223

godotislate opened merge request !14224

godotislate’s picture

godotislate
he/him
commented
Status: Needs work » Needs review

11.2.x MR: https://git.drupalcode.org/project/drupal/-/merge_requests/14223
10.6.x MR from #44: https://git.drupalcode.org/project/drupal/-/merge_requests/14168
10.5.x MR: https://git.drupalcode.org/project/drupal/-/merge_requests/14224

smustgrave’s picture

smustgrave commented

Are the changes for core/modules/package_manager/tests/src/Kernel/PhpTufValidatorTest.php not needed in 10.5 or 10.6?

godotislate’s picture

godotislate
he/him
commented

core/modules/package_manager/tests/src/Kernel/PhpTufValidatorTest.php only exists in the 11 branch. See #44.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 3557585-nr-bot_rnpxae4b.txt91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

smustgrave’s picture

smustgrave commented
Status: Needs work » Needs review
Issue tags: +no-needs-review-bot
godotislate’s picture

godotislate
he/him
commented

I'm skeptical that there's a merge issue, but rebasing the 10.6 MR for bot this one time, but the bot can stay quiet from now on.

Oops cross-posted.

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

think it just gets confused because it doesn't apply to 11.x

But backport wise looks fine.

  • catch committed edb77460 on 11.2.x 
    task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9...

catch closed merge request !14223

  • catch committed e97dce6a on 10.6.x 
    task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9...

catch closed merge request !14168

andypost’s picture

andypost
he/him
Primary language Russian
commented

Sadly we need new issue to upgrade to 2.9.3 as it's a security upgrade https://getcomposer.org/changelog/2.9.3

  • catch committed fac4eabd on 10.5.x 
    task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9...
catch’s picture

catch
he/him
Primary language English
commented
Title: [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9.2 » Update to Composer 2.9.2
Version: 11.2.x-dev » 10.6.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed the backport MRs to 11.2.x, 10.6.x, and 10.5.x respectively, thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

catch closed merge request !14224

dww’s picture

dww
we/he/they
commented

Thanks for the commits!

Opened #3565943: [security hardening] Update composer to 2.9.3 for #63. Needs followup.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.