composer install --audit does not exit non-zero if issues found

[dkarlovi]

My composer.json:

{
    "require": {
        "symfony/http-kernel": "6.2.5"
    }
}

Output of composer diagnose:

Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.symfony/http-kernel : exact version constraints (6.2.5) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK git version 2.39.2
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Composer version: 2.5.4
PHP version: 8.2.3
PHP binary path: /usr/bin/php
OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
cURL version: 7.85.0 libz 1.2.12 ssl OpenSSL/3.0.8
zip: extension present, unzip present, 7-Zip not available

When I run this command:

$ composer install --audit -vvv && echo success || echo failure

I get the following output:

Running 2.5.4 (2023-02-15 13:10:06) with PHP 8.2.3 on Linux / 6.1.13-200.fc37.x86_64
Reading ./composer.json (/home/dkarlovi/Development/RandD/composer-audit/composer.json)
Loading config file /home/dkarlovi/.composer/config.json
Loading config file /home/dkarlovi/.composer/auth.json
Loading config file ./composer.json (/home/dkarlovi/Development/RandD/composer-audit/composer.json)
Checked CA file /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: valid
Executing command (/home/dkarlovi/Development/RandD/composer-audit): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Failed to initialize global composer: Composer could not find the config file: /home/dkarlovi/.composer/composer.json

Reading ./composer.lock (/home/dkarlovi/Development/RandD/composer-audit/composer.lock)
Reading /home/dkarlovi/Development/RandD/composer-audit/vendor/composer/installed.json
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Reading ./composer.lock (/home/dkarlovi/Development/RandD/composer-audit/composer.lock)
Built pool.
Generating rules
Resolving dependencies through SAT
Looking at all rules.

Dependency resolution completed in 0.000 seconds
Nothing to install, update or remove
Generating autoload files
9 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/packages.json from cache
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-psr~event-dispatcher.json from cache
Downloading https://repo.packagist.org/p2/psr/event-dispatcher.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-psr~log.json from cache
Downloading https://repo.packagist.org/p2/psr/log.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~deprecation-contracts.json from cache
Downloading https://repo.packagist.org/p2/symfony/deprecation-contracts.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~error-handler.json from cache
Downloading https://repo.packagist.org/p2/symfony/error-handler.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~event-dispatcher.json from cache
Downloading https://repo.packagist.org/p2/symfony/event-dispatcher.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~event-dispatcher-contracts.json from cache
Downloading https://repo.packagist.org/p2/symfony/event-dispatcher-contracts.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~http-foundation.json from cache
Downloading https://repo.packagist.org/p2/symfony/http-foundation.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~http-kernel.json from cache
Downloading https://repo.packagist.org/p2/symfony/http-kernel.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~polyfill-ctype.json from cache
Downloading https://repo.packagist.org/p2/symfony/polyfill-ctype.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~polyfill-mbstring.json from cache
Downloading https://repo.packagist.org/p2/symfony/polyfill-mbstring.json if modified
Reading /home/dkarlovi/.composer/cache/repo/https---repo.packagist.org/provider-symfony~var-dumper.json from cache
Downloading https://repo.packagist.org/p2/symfony/var-dumper.json if modified
[304] https://repo.packagist.org/p2/psr/log.json
[304] https://repo.packagist.org/p2/symfony/error-handler.json
[304] https://repo.packagist.org/p2/symfony/event-dispatcher.json
[304] https://repo.packagist.org/p2/symfony/deprecation-contracts.json
[304] https://repo.packagist.org/p2/symfony/polyfill-ctype.json
[304] https://repo.packagist.org/p2/symfony/polyfill-mbstring.json
[304] https://repo.packagist.org/p2/symfony/var-dumper.json
[304] https://repo.packagist.org/p2/symfony/event-dispatcher-contracts.json
[304] https://repo.packagist.org/p2/symfony/http-foundation.json
[304] https://repo.packagist.org/p2/symfony/http-kernel.json
[304] https://repo.packagist.org/p2/psr/event-dispatcher.json
Found 1 security vulnerability advisory affecting 1 package.
Run composer audit for a full list of advisories.
success

And I expected this to happen:

It echoes failure, meaning the command exists non-zero, just like composer audit does in the same case, which is important if you're doing --audit in CI, nobody is reading those messages, the build must fail.