Fix root aliases causing problems when auditing locked dependencies, f…

…ixes #11771
composer · Feb 7, 2024 · 0c99bfc · 0c99bfc
1 parent fa04013
commit 0c99bfc
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/Composer/Repository/RepositorySet.php b/src/Composer/Repository/RepositorySet.php
@@ -30,6 +30,7 @@
 use Composer\Semver\Constraint\ConstraintInterface;
 use Composer\Package\Version\StabilityFilter;
 use Composer\Semver\Constraint\MatchAllConstraint;
+use Composer\Semver\Constraint\MultiConstraint;
 
 /**
  * @author Nils Adermann <naderman@naderman.de>
@@ -245,7 +246,15 @@ public function getMatchingSecurityAdvisories(array $packages, bool $allowPartia
     {
         $map = [];
         foreach ($packages as $package) {
-            $map[$package->getName()] = new Constraint('=', $package->getVersion());
+            // ignore root alias versions as they are not actual package versions and should not matter when it comes to vulnerabilities
+            if ($package instanceof AliasPackage && $package->isRootPackageAlias()) {
+                continue;
+            }
+            if (isset($map[$package->getName()])) {
+                $map[$package->getName()] = new MultiConstraint([new Constraint('=', $package->getVersion()), $map[$package->getName()]], false);
+            } else {
+                $map[$package->getName()] = new Constraint('=', $package->getVersion());
+            }
         }
 
         return $this->getSecurityAdvisoriesForConstraints($map, $allowPartialAdvisories);