Audit JSON structure is not stable #12641
Description
The audit output produced by audit --format json does not have a predictable structure, as the arrays are being filtered somewhere in PHP the list of advisories can be an array or can be an object. The output you get looks like:
{
"advisories": {
"symfony/http-foundation": {
"0": {/* snip */},
"1": {/* snip */},
"3": {/* snip */},
"4": {/* snip */},
"5": {/* snip */},
"6": {/* snip */}
},
"symfony/validator": [
{/* snip */}
]
},
"abandoned": []
}Reproducer:
composer require 'symfony/http-foundation:3.2.*' --no-security-blocking
composer require 'symfony/validator:3.2.*' --no-security-blocking
composer audit --format json | jq '.advisories["symfony/http-foundation"]|type'
composer audit --format json | jq '.advisories["symfony/validator"]|type'My composer.json:
{
"require": {
"symfony/http-foundation": "3.2.*",
"symfony/validator": "3.2.*"
}
}Output of composer diagnose:
Composer version 2.9.2 2025-11-19 21:57:25
PHP version 8.4.15 (/usr/bin/php8.4)
When I run this command:
composer audit --format json | jq '.advisories["symfony/http-foundation"]|type'
I get the following output:
"object"
And I expected this to happen:
"array"