The behavior of --prefer-lowest to skip installation of insecure versions is correct and should remain.

To explain why, imagine there is CVE reported against an old version of a library you depend on. This vulnerability allows remote code execution when the library code is autoloaded in a way that is triggerable in GitHub actions. The library authors marked the version insecure and published a safe new version. Now your CI system with --prefer-lowest would continue to install the old vulnerable version and effectively allow third parties to execute code in your GitHub action. The only safe default is to prevent installation of such insecure versions by default.

Preventing the installation of these old versions should simply lead to a successful composer update that picks slightly newer versions, imitating what users of your library would end up with as well, since Composer would skip the insecure versions for them too. As per my other comment this behavior was broken in some cases, leading to errors rather than picking different versions, that should have been fixed in 80503cb.

The easiest solution generally would be to change your requirements to no longer accept the insecure versions.

That said, there may well be security vulnerabilities that would not be exploitable in the context of your library, and you may still want to perform tests against such versions in case users of yours still rely on these versions. So I think we should provide enough options for you to be able to explicitly allow specific CVEs/vuln ids to install as part of a --prefer-lowest command. Right now you can probably only accomplish this by using config audit ignore https://getcomposer.org/doc/06-config.md#abandoned which you could set temporarily with a config command before running the update prefer lowest. Maybe @Seldaek has ideas on how to make this particular scenario a bit easier to work with?