Composer 2.9 Security Blocking feature breaks previously working builds #12657
Description
My composer.json:
{
"name": "marcaddeo/test",
"require": {
"enshrined/svg-sanitize": "0.20.0"
}
}
Output of composer diagnose:
Composer could not detect the root package (marcaddeo/test) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
Checking platform settings: OK
Checking git settings: OK git version 2.46.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: OK
Composer version: 2.9.2
PHP version: 8.3.16
PHP binary path: /opt/homebrew/Cellar/php@8.3/8.3.16/bin/php
OpenSSL version: OpenSSL 3.4.0 22 Oct 2024
curl version: 8.11.1 libz 1.2.12 brotli brotli/1.1.0 zstd supported ssl OpenSSL/3.4.0 (SecureTransport) HTTP 1.0, 1.1, 2
zip: extension present, unzip present, 7-Zip not available
When I run this command:
composer install -vvv
I get the following output:
Running 2.9.2 (2025-11-19 21:57:25) with PHP 8.3.16 on Darwin / 24.6.0
Reading ./composer.json (/Users/maddeo/dev/test-composer/composer.json)
Loading config file ./composer.json (/Users/maddeo/dev/test-composer/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Executing command (/Users/maddeo/dev/test-composer): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/Users/maddeo/dev/test-composer): 'git' 'describe' '--exact-match' '--tags'
Executing command (/Users/maddeo/dev/test-composer): 'git' 'log' '--pretty=%H' '-n1' 'HEAD' '--no-show-signature'
Executing command (/Users/maddeo/dev/test-composer): 'hg' 'branch'
Executing command (/Users/maddeo/dev/test-composer): 'fossil' 'branch' 'list'
Executing command (/Users/maddeo/dev/test-composer): 'fossil' 'tag' 'list'
Executing command (/Users/maddeo/dev/test-composer): 'svn' 'info' '--xml'
Composer could not detect the root package (marcaddeo/test) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Reading /Users/maddeo/.composer/composer.json
Loading config file /Users/maddeo/.composer/composer.json (/Users/maddeo/.composer/composer.json)
Reading /Users/maddeo/.composer/vendor/composer/installed.json
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Reading /Users/maddeo/Library/Caches/composer/repo/https---repo.packagist.org/packages.json from cache
Downloading https://repo.packagist.org/packages.json if modified
[304] https://repo.packagist.org/packages.json
Reading /Users/maddeo/Library/Caches/composer/repo/https---repo.packagist.org/provider-enshrined~svg-sanitize.json from cache
Downloading https://repo.packagist.org/p2/enshrined/svg-sanitize.json if modified
[304] https://repo.packagist.org/p2/enshrined/svg-sanitize.json
Built pool.
Running security advisory pool filter.
Reading /Users/maddeo/Library/Caches/composer/repo/https---repo.packagist.org/provider-enshrined~svg-sanitize.json from cache
Security advisory pool filter completed in 0.001 seconds
Found 101 package versions referenced in your dependency graph. 1 (1%) were filtered away.
Running pool optimizer.
Updating dependencies
Generating rules
Resolving dependencies through SAT
Looking at all rules.
Dependency resolution completed in 0.000 seconds
Reading /Users/maddeo/Library/Caches/composer/repo/https---repo.packagist.org/provider-enshrined~svg-sanitize.json from cache
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Root composer.json requires enshrined/svg-sanitize 0.20.0 (exact version match: 0.20.0 or 0.20.0.0), found enshrined/svg-sanitize[0.20.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-4g5g-4rkv-myqs") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
And I expected this to happen:
Previously, 2.8.x would install successfully. With the security blocking features added into 2.9.x, this no longer works.
Obviously this composer.json is just an example, but that was one of the dependencies that was causing this issue for our builds.
I think the security blocking feature is a good idea, but it feels like automatically enabling it in 2.9.x is a bit too aggressive. Composer was updated on our build systems (unbeknownst to us), so we had to track down and figure out why all of our working builds were suddenly failing even though there were no major version changes to anything.
We've now resolved our issues, but I think it would make more sense if this was opt-in in 2.9.x, and opt-out in 3.x.