Before 2.6.0: Replace ability to ignore vulnerabilities reported by Composer audit with a bypass option instead

[mxr576]

Composer 2.6.0 is planning to introduce a new ignore feature for security advisories reported by composer audit. The original request was raised for this feature in #11298.

Before the implementation was merged the issue got little traction but after it was merged, it got controversial feedback. As you can see from the thread, personally, I am on the side that a feature like this should not exist.

Today, @janmashat came up with a "you can eat the cake but also keep it" type of idea, a different one that I was suggested before with composer audit-changes:

Rather than an "audit.ignored config setting to ignore security advisories" perhaps we could agree on this compromise: "audit.pass config setting to exit(0) for certain security advisories" (but still list them in the console output).

That way, if somebody is reviewing the "audit log" then they won't have to wonder whether some entries are missing.

(Source: #11298 (comment))

[mxr576]

With this change, the output of composer audit could be always sent to a Slack channel or other platforms and the build would not fail for silenced vulnerabilities. So issues would not be swept under the carpet... and it is always good to see a "No security vulnerability advisories found" message :)

[AlexSkrypnyk]

I'd like to second this. Information about the packages that did not pass the audit is always useful and can be logged. It is not always possible to patch at the moment's notice and have you builds fail in CI.

[cmlara]

I will add my vote of support for this change as well.

Overall this appears to still allow those who need an easy method to bypass failures to do so and at the same time retain an audit trail in the execution logs and allow users who may receive a composer file with exemptions present to easily know what vulnerabilities are present.