-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
composer audit used Composer version #11216
Comments
Should be doable as part of audit command for sure, I don't know if I would otherwise do it on every run, probably rather not. |
To me, it would be better if |
Doing a self audit as part of |
If the project includes any dependencies on When I run
then I get the following output:
The behaviour is slightly confusing, because if I run |
@malcomio yes indeed it checks the one in vendor as audit looks at the vendor dir only. So it still is good to report it in that case IMO. But anyway requiring composer is generally not a great idea, and something I discourage unless you have no other choice. |
See #11761 |
Thanks - https://github.com/drupal/core-dev includes I've created https://www.drupal.org/project/drupal/issues/3412268 on that project with a link to this. |
Now that Composer can audit a lock file, it would be helpful if Composer could check if the currently used Composer version is affected by any security advisories. This should make it more obvious to users in case they use a Composer version that has security issues.
Not quite sure whether this should happen as part of the regular
composer audit
functionality or whether this should happen in some other place.The text was updated successfully, but these errors were encountered: