Update with security advisories is failing since 2.6.0 with exit code 5

[mvorisek]

Composer version: 2.6.0

CI output: https://github.com/atk4/ui/actions/runs/6052592988/job/16426385347#step:7:331

What does exit code 5 mean?

Or is Found 9 security vulnerability advisories affecting 5 packages. info intended to return non-zero exit code?

[stof]

@Seldaek it looks like the exit code 5 added for cases of using composer install --audit gets applied also to update or require without any opt-in (see the comment on #11362). This looks like a bad implementation of the feature in #11362 as it impacts a lot more things.

[mvorisek]

Yes, #11362 should be reverted. And as non-latest deps are more or less expected to contain vulnerabilities, non-zero exit code should be returned only when --audit is passed explicitly.

[Seldaek]

I think the intent was sensible but yeah probably it applies to too many things right now. I fixed one in require already yesterday but I guess this'll need more fine tuning

[stof]

to me, composer update (and require and create-project similarly) should either run the auditor by default without failing or it should not run it by default. But changing the exit code without an opt-in looks wrong to me.
The PR implemented the exit code change any time the auditor was running, but only composer install has such an opt-in to run the auditor at all.

My own vote would even be to revert that. If a script wants to fail on audit failures, it would probably be a lot more understandable if this happens during composer audit

[Seldaek]

Fixed by #11616

[mvorisek]

please tag a new release, it is failing a lot of our CIs like https://github.com/atk4/ui/actions/runs/6063294764

[Seldaek]

Yeah please chill out I am here on Sunday trying to fix things.

[Seldaek]

This kind of comment just makes me want to close the laptop and go enjoy something else seriously..

[dkarlovi]

@mvorisek why do you need a new release to be cut just for your builds to pass? You can always not use the latest Composer immediately.