[#2125] Added support for Composer 2.9.0 automated security audit. #2126

AlexSkrypnyk · 2025-11-25T23:53:52Z

Summary by CodeRabbit

New Features
- CI now runs Composer security auditing with a configurable flag (new environment variable) to optionally ignore failures; default audit settings added to project config.
Documentation
- Added Composer auditing guidance, examples, CI notes, variable reference, and an FAQ entry; some audit guidance appears duplicated in the docs.
Chores
- Bumped Drupal core/tooling and several dev dependencies; expanded spellcheck dictionary.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2025-11-25T23:54:03Z

Walkthrough

Adds Composer audit settings to composer.json, adds CI steps (CircleCI + GitHub Actions) to run composer audit (toggleable via a new env var), introduces VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE variable, bumps several dependencies, and updates docs and FAQs with Composer audit guidance.

Changes

Cohort / File(s)	Summary
CI configs `.circleci/config.yml`, `.github/workflows/build-test-deploy.yml`	Inserted an "Audit Composer packages" step running `docker compose exec -T cli composer audit` placed after dev dependency install / before composer validation; step honors `VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE` to permit continuing on audit failures.
CI variables `.vortex/docs/.utils/variables/extra/ci.variables.sh`	Added `VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE=0` and a comment `# Ignore \`composer audit` failures.` to expose CI toggle.
Composer & deps `composer.json`	Added `config.audit` (`block-insecure=true`, `abandoned=report`) and bumped Drupal/core scaffolding/core-recommended and multiple dev deps (redis, behat, phpstan, rector, twig-cs-fixer, drupal/core-dev, etc.).
Docs — Composer & Workflows `.vortex/docs/content/drupal/composer.mdx`, `.vortex/docs/content/workflows/development.mdx`, `.vortex/docs/content/workflows/variables.mdx`, `docs/faqs.md`	Added Composer security auditing guidance, examples for `config.audit`, documented `VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE`, and added FAQ guidance for audit-blocked installs (duplicated block appears in development.mdx).
Minor docs / tooling `.vortex/docs/content/workflows/releasing.mdx`, `.vortex/docs/cspell.json`	Minor formatting/spacing edits and added "GHSA" to cspell dictionary.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant CI as CI pipeline
    participant Runner as Runner / CLI container
    participant Composer as Composer

    Dev->>CI: push / open PR
    CI->>Runner: install deps / normalize composer
    CI->>Runner: run composer audit
    Runner->>Composer: composer audit (checks advisories)
    Composer-->>Runner: advisories + exit code

    alt VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE = 1
        note right of Runner `#DFF0D8`: Audit failures ignored
        Runner-->>CI: exit 0 (continue)
        CI-->>Dev: pipeline continues
    else VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE = 0
        note right of Runner `#FDEBD0`: Audit failures fail pipeline
        Runner-->>CI: non-zero exit (fail)
        CI-->>Dev: pipeline fails
    end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

Check duplicated documentation in .vortex/docs/content/workflows/development.mdx.
Verify config.audit keys/values match Composer 2.9 semantics.
Ensure CI steps reference VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE consistently across CircleCI and GitHub Actions.
Review dependency bumps for compatibility with Drupal 11.2.8 toolchain.

Possibly related PRs

Updated dependencies to the latest minor versions. #1797 — modifies composer.json dependency versions and may overlap with the dependency bumps in this change.

Poem

🐰 I nibble through composer lines at night,
I sniff for weak and keep installs tight.
In CI I hop when audits run,
A little flag to skip — or fail — for fun.
Hooray, packages safe till light!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes out-of-scope dependency version bumps in composer.json unrelated to Composer 2.9.0 audit support, plus duplicate documentation in development.mdx.	Remove dependency version bumps from composer.json (behat, phpstan, rector, etc.) and consolidate duplicate Composer security auditing sections in development.mdx.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding support for Composer 2.9.0 automated security audit. It is concise and directly relates to the changeset.
Linked Issues check	✅ Passed	All primary objectives from issue #2125 are met: audit config added to composer.json, Composer documentation updated, and FAQ entry created with links.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch feature/2125-composer-security-block

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5fe742d and 3e40569.

⛔ Files ignored due to path filters (38)

.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/ciprovider_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_all_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deps_updates_provider_ci_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_claro/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_olivero/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_stark/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/timezone_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (10)

.circleci/config.yml (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)
.vortex/docs/.utils/variables/extra/ci.variables.sh (1 hunks)
.vortex/docs/content/drupal/composer.mdx (1 hunks)
.vortex/docs/content/workflows/development.mdx (2 hunks)
.vortex/docs/content/workflows/releasing.mdx (8 hunks)
.vortex/docs/content/workflows/variables.mdx (1 hunks)
.vortex/docs/cspell.json (1 hunks)
composer.json (3 hunks)
docs/faqs.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

composer.json

📄 CodeRabbit inference engine (CLAUDE.md)

composer.json: Define patch configurations in composer.json under 'extra.patches' section, supporting both local patches and external URLs
Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Files:

composer.json

🧠 Learnings (3)

📚 Learning: 2025-07-23T01:16:30.963Z

Learnt from: AlexSkrypnyk
Repo: drevops/vortex PR: 1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Applied to files:

.github/workflows/build-test-deploy.yml
.vortex/docs/.utils/variables/extra/ci.variables.sh
.circleci/config.yml

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Applies to composer.json : Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Applied to files:

.vortex/docs/content/workflows/development.mdx
composer.json
docs/faqs.md
.vortex/docs/content/drupal/composer.mdx

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Use 'ahoy build' for initial site setup, 'ahoy up/down' for environment management, and 'ahoy provision' to re-provision with fresh database

Applied to files:

.vortex/docs/content/workflows/development.mdx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (4)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-docs

🔇 Additional comments (11)

.vortex/docs/cspell.json (1)

12-12: LGTM!

The addition of "GHSA" to the spell-check dictionary is appropriate given the expanded security audit documentation using GitHub Security Advisory identifiers in examples and guidance.

.vortex/docs/content/workflows/variables.mdx (1)

449-455: Verify default value documentation.

The variable entry shows Default value: UNDEFINED, but .vortex/docs/.utils/variables/extra/ci.variables.sh sets VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE=0. Confirm whether the documentation default should reflect 0 instead, or if "UNDEFINED" is intentional to allow environment override.

.vortex/docs/content/workflows/releasing.mdx (1)

50-50: LGTM!

Formatting improvements (blank lines for readability) across the document. No content changes, and spacing enhances document structure.

Also applies to: 83-83, 139-140, 153-154, 167-170

.vortex/docs/.utils/variables/extra/ci.variables.sh (1)

33-34: LGTM!

New environment variable properly defined and positioned. Consistent naming, clear comment, and security-first default (0 = fail on vulnerabilities) aligns with audit strategy described in documentation.

docs/faqs.md (1)

130-147: LGTM!

New FAQ section is practical and addresses the stated PR objective. Provides clear guidance on handling security blocking: update packages, audit for details, or adjust config. Markdown link is properly formatted (addressing prior MD034 linting issue).

.vortex/docs/content/workflows/development.mdx (2)

83-83: Verify header capitalization consistency.

Line 83 changed from "Environment Variable Updates" (capitalized) to "Environment variable updates" (lowercase). Verify this is intentional and consistent with other section headers in the document, or revert to match surrounding header style.

308-419: LGTM!

Comprehensive Composer security auditing documentation added. Clear configuration examples, explains all three audit options (block-insecure, abandoned, ignore), includes the security-first philosophy callout addressing prior review, provides practical command examples, and properly documents CI/CD integration. Well-structured and actionable.

.vortex/docs/content/drupal/composer.mdx (1)

229-259: LGTM!

Audit configuration documentation properly integrated into composer.json config section. Clear explanation of all three options (block-insecure, abandoned, ignore) with sensible Vortex defaults documented. Links appropriately to development.mdx for comprehensive guidance. Additional platform and sort-packages options are well-explained.

.circleci/config.yml (1)

283-285: LGTM!

New "Audit Composer packages" step properly integrated into CircleCI build job. Uses correct docker compose execution context (-T cli), implements proper failure handling via environment variable with secure default (0 = fail on vulnerabilities), and is logically positioned after dependency installation. Consistent with established CI patterns.

.github/workflows/build-test-deploy.yml (1)

277-279: ✅ Audit step correctly uses docker compose execution context.

The implementation properly wraps the composer audit command with docker compose exec -T cli, maintaining consistency with other Composer commands in the workflow and ensuring execution within the PHP container where Composer is available.

composer.json (1)

87-90: Incorrect review comment: Implementation aligns with actual PR objectives, not contradictory.

The review's premise is flawed. The git commit message clearly states: "Added support for Composer 2.9.0 automated security audit," and the implementation ("block-insecure": true) directly aligns with this objective to enable security blocking.

The PR objectives documented in the commit are not to disable security blocking for backwards compatibility. No such backwards-compatibility requirement appears in project documentation, FAQs, or commit details. The audit.block-insecure setting is presented in docs/faqs.md as an optional configuration for cases where needed, not as a default backwards-compatibility requirement.

The code is working as intended per the actual commit message.

Likely an incorrect or invalid review comment.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

composer.json (1)
74-96: Add explanatory comment for audit configuration.

The audit configuration lacks inline documentation explaining the choice of abandoned: "report" and block-insecure value. Add a comment for future maintainers:
"config": {
    "allow-plugins": { ... },
    // Composer 2.9.0 automated security auditing (issue #2125)
    // block-insecure: true enforces immediate action on vulnerabilities
    // abandoned: report logs warnings but doesn't block installation
    // See: .vortex/docs/content/workflows/development.mdx#composer-security-auditing
    "audit": {
        "abandoned": "report",
        "block-insecure": true
    },
    ...
}
Based on learnings, documenting the issue reference (#2125) helps maintainability.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 75a3548 and 5f43196.

⛔ Files ignored due to path filters (38)

.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/ciprovider_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_all_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deps_updates_provider_ci_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_claro/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_olivero/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_stark/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/timezone_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (10)

.circleci/config.yml (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)
.vortex/docs/.utils/variables/extra/ci.variables.sh (1 hunks)
.vortex/docs/content/drupal/composer.mdx (1 hunks)
.vortex/docs/content/workflows/development.mdx (1 hunks)
.vortex/docs/content/workflows/releasing.mdx (8 hunks)
.vortex/docs/content/workflows/variables.mdx (1 hunks)
.vortex/docs/cspell.json (1 hunks)
composer.json (3 hunks)
docs/faqs.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

composer.json

📄 CodeRabbit inference engine (CLAUDE.md)

composer.json: Define patch configurations in composer.json under 'extra.patches' section, supporting both local patches and external URLs
Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Files:

composer.json

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Applies to composer.json : Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Use git-based patching with 'cweagans/composer-patches' v2.x which provides improved reliability with git apply and SHA-256 checksums

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Applies to composer.json : Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Applied to files:

.vortex/docs/content/workflows/development.mdx
.vortex/docs/content/drupal/composer.mdx
docs/faqs.md
composer.json

📚 Learning: 2025-07-23T01:16:30.963Z

Learnt from: AlexSkrypnyk
Repo: drevops/vortex PR: 1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Applied to files:

.vortex/docs/.utils/variables/extra/ci.variables.sh

🪛 markdownlint-cli2 (0.18.1)

docs/faqs.md

145-145: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

GitHub Check: build (1)
GitHub Check: build (0)
GitHub Check: vortex-test-workflow (4)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.3)

🔇 Additional comments (11)

.vortex/docs/content/workflows/releasing.mdx (1)

50-50: Formatting changes look good.

These whitespace adjustments improve readability around headings, code blocks, and lists without altering content or structure.

Also applies to: 139-143, 145-158, 167-170, 199-205, 220-226, 275-283, 292-299

.vortex/docs/cspell.json (1)

12-12: "GHSA" addition aligns with documentation updates.

Adding the GitHub Security Advisory acronym to the dictionary supports the new CVE/GHSA references in the Composer security audit documentation.

.vortex/docs/content/drupal/composer.mdx (1)

229-245: Comprehensive audit configuration documentation.

The new audit section clearly explains block-insecure, abandoned, and ignore settings with actionable guidance. The cross-reference to the development workflow documentation improves discoverability.

.vortex/docs/content/workflows/variables.mdx (1)

449-455: Variable documentation follows established conventions.

The VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE entry is correctly positioned and formatted consistently with related ignore-failure variables.

.circleci/config.yml (1)

289-291: CircleCI implementation is correct.

The composer audit command properly executes within the docker compose context, consistent with other linting steps. The bash conditional failure-ignore pattern matches the normalize check above it.

docs/faqs.md (2)

130-147: Verify no duplicate FAQ content exists elsewhere in file.

The AI summary suggests this FAQ content may be duplicated in two locations within the document. Please confirm this section appears only once. If duplication exists, consolidate to a single entry to maintain document clarity and reduce maintenance burden.

145-146: I'll help you verify the review comment by examining the file and checking for the issues mentioned. Let me start by exploring the faqs.md file and investigating the bare URL and potential duplication.
<function_calls>

#!/bin/bash

First, check file size and read the section around lines 145-146

wc -l docs/faqs.md
echo "---"

Read lines 130-155 to see full context

sed -n '130,155p' docs/faqs.md | cat -n

</function_calls>

#!/bin/bash

Search for the specific URL to see all occurrences

rg 'vortextemplate.com/docs/drupal/composer' docs/faqs.md -n

</function_calls>

#!/bin/bash

Search for potential duplicate FAQ content about "Composer blocks package" or "security vulnerabilities"

rg -i 'composer.*block|security.*vulnerab|audit.*config' docs/faqs.md -n -B 2 -A 2

</function_calls>

Waiting for results to verify the bare URL and duplication concerns...

.vortex/docs/.utils/variables/extra/ci.variables.sh (1)

33-34: New CI variable follows established conventions.

The VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE=0 addition maintains consistency with the ignore-failure pattern for other CI checks and is appropriately placed in the variable list.
.vortex/docs/content/workflows/development.mdx (2)
308-409: Good! Now let me check the actual content of the development.mdx file and look for duplicates:
<function_calls>

#!/bin/bash

echo "=== Searching for all 'Composer Security Auditing' occurrences ==="
rg -n "Composer Security Auditing" .vortex/docs/content/workflows/development.mdx

echo ""
echo "=== Counting total occurrences ==="
rg -c "Composer Security Auditing" .vortex/docs/content/workflows/development.mdx

echo ""
echo "=== Get line count of development.mdx ==="
wc -l .vortex/docs/content/workflows/development.mdx

echo ""
echo "=== Read lines 300-320 to see context ==="
sed -n '300,320p' .vortex/docs/content/workflows/development.mdx

</function_calls>
#!/bin/bash

echo "=== Full search for 'Composer Security' in development.mdx ==="
rg -n "Composer Security" .vortex/docs/content/workflows/development.mdx

echo ""
echo "=== Search for composer.json in entire repo ==="
find . -name "composer.json" -type f 2>/dev/null | head -5

echo ""
echo "=== Check for any audit configuration mentions ==="
rg -n "block-insecure" .vortex/docs/content/workflows/development.mdx

echo ""
echo "=== Get total file size ==="
wc -l .vortex/docs/content/workflows/development.mdx
</parameter>
</function_calls>



```shell
#!/bin/bash

# Read the section around lines 308-409
echo "=== Reading development.mdx lines 300-420 ==="
sed -n '300,420p' .vortex/docs/content/workflows/development.mdx
400-408: The documentation is accurate and the variable is properly implemented.

All verification points confirm:

Variable is implemented in CI workflows:

CircleCI (line 291): composer audit || [ "${VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE:-0}" -eq 1 ]

GitHub Actions (line 284): continue-on-error: ${{ vars.VORTEX_CI_COMPOSER_AUDIT_IGNORE_FAILURE == '1' }}

Variable is documented: Listed in ./.vortex/docs/content/workflows/variables.mdx (line 449) and defined in ./.vortex/docs/.utils/variables/extra/ci.variables.sh (line 34) with default value 0.

Default behavior is correct: When not set, the variable defaults to 0/undefined, which means audit failures will cause the build to fail (as documented).
composer.json (1)

15-16: Based on the verification, I can now provide a comprehensive assessment:

Verified findings:

Primary PR goal: Clearly documented as "[#2125] Added support for Composer 2.9.0 automated security audit" with comprehensive documentation added

Audit configuration: Properly added to composer.json with block-insecure: true and abandoned: report

Dependency updates: All are patch or minor version bumps (safe, non-breaking changes):

Drupal core: 11.2.5 → 11.2.8 (patch within ~11.2.x)

All dev tools: similar minor/patch increments

No composer.lock change: Suggests intentional version pinning, not automatic transitive updates

Documentation: Updated with detailed audit guidance and security best practices

Assessment of original concerns:

The bundling of dependency updates WITH the audit feature is contextually reasonable—they're all safety-critical patch/minor bumps, not major version changes

No evidence that these updates are REQUIRED for Composer 2.9.0 compatibility; they appear to be a concurrent lockfile refresh

The commit message does not explain the rationale for these specific version updates

Verify: Are multiple dependency version updates intentional, or should they be separated?

This PR bundles dependency updates with the Composer 2.9.0 audit configuration. However, all updates are minor or patch-level bumps (e.g., Drupal core 11.2.5→11.2.8, rector 2.2.7→2.2.8, phpstan 2.1.31→2.1.32)—non-breaking, safe changes.

Clarifications needed:

Are these patch updates intentional security/maintenance refreshes, or coincidental lockfile updates?

If intentional security updates, document the rationale in the commit message or PR description.

For future PRs, consider separating feature additions (audit config) from dependency maintenance commits to improve clarity.

The current bundling is acceptable given the safety profile of these updates, but transparency about intent would strengthen the PR.

.github/workflows/build-test-deploy.yml

codecov · 2025-11-26T00:03:06Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.80%. Comparing base (75a3548) to head (3e40569).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #2126   +/-   ##
========================================
  Coverage    70.80%   70.80%           
========================================
  Files           99       99           
  Lines         5059     5059           
  Branches        44       44           
========================================
  Hits          3582     3582           
  Misses        1477     1477

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 3

♻️ Duplicate comments (1)

composer.json (1)
87-90: CRITICAL (unresolved from prior review): block-insecure value contradicts PR objectives and backwards-compatibility goal.

The past review flagged that "block-insecure": true enables security blocking (strict mode), which contradicts the stated objective to "disable Composer 2.9 automated security blocking for backwards compatibility." To disable blocking, the value should be false.

"block-insecure": false = permissive (don't block insecure packages; backwards-compatible)

"block-insecure": true = strict (block insecure packages; security-first)

This issue persists unchanged since the last review.

Resolution required: Either correct the value to false to match the backwards-compatibility objective, or explicitly update the PR description and documentation to reflect an intentional security-first override.

Apply this diff if backwards compatibility is the goal:
 "audit": {
     "abandoned": "report",
-    "block-insecure": true
+    "block-insecure": false
 }
If the intent is to enforce strict security blocking (overriding backwards compatibility), update the PR title, objectives, and all documentation to make this clear.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f43196 and 57f62d1.

⛔ Files ignored due to path filters (38)

.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/ciprovider_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_all_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deps_updates_provider_ci_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_claro/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_olivero/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_stark/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/timezone_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (10)

.circleci/config.yml (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)
.vortex/docs/.utils/variables/extra/ci.variables.sh (1 hunks)
.vortex/docs/content/drupal/composer.mdx (1 hunks)
.vortex/docs/content/workflows/development.mdx (1 hunks)
.vortex/docs/content/workflows/releasing.mdx (8 hunks)
.vortex/docs/content/workflows/variables.mdx (1 hunks)
.vortex/docs/cspell.json (1 hunks)
composer.json (3 hunks)
docs/faqs.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

composer.json

📄 CodeRabbit inference engine (CLAUDE.md)

composer.json: Define patch configurations in composer.json under 'extra.patches' section, supporting both local patches and external URLs
Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Files:

composer.json

🧠 Learnings (2)

📚 Learning: 2025-07-23T01:16:30.963Z

Learnt from: AlexSkrypnyk
Repo: drevops/vortex PR: 1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Applied to files:

.github/workflows/build-test-deploy.yml
.vortex/docs/.utils/variables/extra/ci.variables.sh

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Applies to composer.json : Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Applied to files:

composer.json
docs/faqs.md
.vortex/docs/content/workflows/development.mdx
.vortex/docs/content/drupal/composer.mdx

🪛 markdownlint-cli2 (0.18.1)

docs/faqs.md

145-145: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

GitHub Check: build (0)
GitHub Check: build (1)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (4)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-docs

🔇 Additional comments (9)

.vortex/docs/content/workflows/releasing.mdx (1)

50-50: Based on my verification, the original review comment contains several critical errors. Here's what I found:

Verification Results:

releasing.mdx is a NEW FILE, not "formatting-only changes": The git log shows git show 57f62d12 reveals this file was created with new file mode 100644, containing 311 lines of entirely new release workflow documentation (GitFlow, versioning schemes, deployment, monitoring, best practices).

Composer 2.9 Security Audit documentation DOES exist:

composer.mdx (new file): Documents Composer configuration including the new audit config with block-insecure, abandoned, and ignore options (lines ~307-317)

development.mdx (new file): Contains a comprehensive "Composer Security Auditing" section (lines 320-420 in the diff) covering configuration, when to use different settings, ignoring advisories, running audits, and CI/CD integration

releasing.mdx is appropriately scoped: This file documents release workflows and should NOT contain Composer security audit documentation—that belongs in the development and Composer configuration docs where it correctly appears.

Rewritten Review Comment:

File does not require changes—PR objectives are met elsewhere

This file is newly created documentation for release workflows (GitFlow, versioning schemes, deployment procedures, and monitoring). It is not in scope for Composer 2.9 security audit documentation. Composer audit configuration and workflow guidance is appropriately documented in .vortex/docs/content/drupal/composer.mdx and .vortex/docs/content/workflows/development.mdx#composer-security-auditing, which contain the required Composer 2.9 automated security blocking behavior and audit settings.

.vortex/docs/cspell.json (1)

12-12: LGTM!

Adding "GHSA" to the spell-check dictionary is appropriate given the security audit documentation references GitHub Security Advisories.

.vortex/docs/content/workflows/variables.mdx (1)

449-456: LGTM!

The new variable documentation follows the established pattern and is correctly positioned. The description is clear and the default value is appropriate.

.github/workflows/build-test-deploy.yml (1)

282-284: LGTM!

The composer audit step correctly uses docker compose exec -T cli to run within the container environment, consistent with other Composer commands. The continue-on-error pattern aligns with existing CI variable conventions.

docs/faqs.md (1)

130-148: FAQ content is helpful but check for duplication across docs.

The content appropriately addresses the PR objective by providing actionable guidance for when Composer blocks installation. However, the AI summary indicates similar content may exist in .vortex/docs/content/workflows/development.mdx (the new "Composer Security Auditing" section). Verify that this FAQ and the development documentation don't create redundant or conflicting information.

Confirm whether the Composer Security Auditing section in development.mdx duplicates this FAQ content, and ensure they complement each other (FAQ = quick answer, development docs = comprehensive guide).

.vortex/docs/content/drupal/composer.mdx (1)

229-245: LGTM, but verify alignment with composer.json.

The audit configuration documentation is clear and well-structured. However, the documented default values (block-insecure=true, abandoned=report) should be verified against the actual composer.json to ensure consistency. Since composer.json is not provided in this review, please confirm that the configuration added matches what's documented here.

Verify that the audit defaults in composer.json match the documented values: block-insecure: true, abandoned: report, and ignore: {}.

.vortex/docs/.utils/variables/extra/ci.variables.sh (1)

33-34: LGTM!

The variable is correctly placed in the sequence of Composer-related ignore flags and follows the established naming and default value pattern. Default of 0 ensures secure-by-default behavior where audit failures fail the build.

.vortex/docs/content/workflows/development.mdx (1)

308-408: Comprehensive and well-structured documentation.

The new "Composer Security Auditing" section thoroughly covers configuration, use cases, and CI/CD integration. Examples are concrete and helpful. The CI/CD subsection (lines 400-408) correctly explains the automatic audit behavior and the control variable.

composer.json (1)

15-16: Dependency version updates look reasonable.

The version bumps align well with the Drupal 11.2.8 series and related tooling updates. The constraints (~ and ^) are appropriate for their respective packages.

Also applies to: 20-20, 32-51

.circleci/config.yml

.vortex/docs/content/workflows/development.mdx

docs/faqs.md

coderabbitai

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2a1d00 and 5fe742d.

⛔ Files ignored due to path filters (38)

.vortex/installer/tests/Fixtures/install/_baseline/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/_baseline/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/ciprovider_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_all_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deploy_types_none_gha/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/deps_updates_provider_ci_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/provision_profile/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_claro/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_olivero/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/theme_stark/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/timezone_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_lint_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_groups_no_be_tests_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_behat_circleci/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpcs_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpmd_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpstan_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_phpunit_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_no_rector_circleci/.circleci/config.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/.github/workflows/build-test-deploy.yml is excluded by !.vortex/installer/tests/Fixtures/**
.vortex/installer/tests/Fixtures/install/tools_none/docs/faqs.md is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (10)

.circleci/config.yml (1 hunks)
.github/workflows/build-test-deploy.yml (1 hunks)
.vortex/docs/.utils/variables/extra/ci.variables.sh (1 hunks)
.vortex/docs/content/drupal/composer.mdx (1 hunks)
.vortex/docs/content/workflows/development.mdx (2 hunks)
.vortex/docs/content/workflows/releasing.mdx (8 hunks)
.vortex/docs/content/workflows/variables.mdx (1 hunks)
.vortex/docs/cspell.json (1 hunks)
composer.json (3 hunks)
docs/faqs.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

composer.json

📄 CodeRabbit inference engine (CLAUDE.md)

composer.json: Define patch configurations in composer.json under 'extra.patches' section, supporting both local patches and external URLs
Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Files:

composer.json

🧠 Learnings (3)

📚 Learning: 2025-07-23T01:16:30.963Z

Learnt from: AlexSkrypnyk
Repo: drevops/vortex PR: 1816
File: .docker/cli.dockerfile:72-76
Timestamp: 2025-07-23T01:16:30.963Z
Learning: In the Vortex project, unauthenticated Composer installs should be allowed, so GitHub token secrets should not be marked as `required=true` in Docker build mounts. The conditional check `if [ -s /run/secrets/github_token ]` is the preferred approach to allow builds to proceed without a token when needed.

Applied to files:

.vortex/docs/.utils/variables/extra/ci.variables.sh
.circleci/config.yml
.github/workflows/build-test-deploy.yml

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Applies to composer.json : Document the issue being fixed in composer.json patch description and include issue URLs when available from drupal.org

Applied to files:

.vortex/docs/content/workflows/development.mdx
.vortex/docs/content/drupal/composer.mdx
composer.json
docs/faqs.md

📚 Learning: 2025-11-24T21:29:10.896Z

Learnt from: CR
Repo: drevops/vortex PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T21:29:10.896Z
Learning: Use 'ahoy build' for initial site setup, 'ahoy up/down' for environment management, and 'ahoy provision' to re-provision with fresh database

Applied to files:

.vortex/docs/content/workflows/development.mdx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

GitHub Check: build (0)
GitHub Check: build (1)
GitHub Check: vortex-test-workflow (4)
GitHub Check: vortex-test-workflow (1)
GitHub Check: vortex-test-workflow (3)
GitHub Check: vortex-test-workflow (2)
GitHub Check: vortex-test-workflow (0)
GitHub Check: vortex-test-common
GitHub Check: vortex-test-installer (8.4)
GitHub Check: vortex-test-installer (8.3)
GitHub Check: vortex-test-docs

🔇 Additional comments (9)

.vortex/docs/content/workflows/releasing.mdx (1)

50-50: Verify Composer audit documentation alignment with PR objectives.

The changes in this file are formatting-only (whitespace and blank line additions for readability). However, the PR objectives include updating the Composer section in .vortex/docs to describe Composer 2.9's new automated security blocking behavior and audit-setting guidance.

This releasing workflow file does not contain Composer audit documentation. Please clarify:

Are Composer audit documentation updates in a different file not shown in this review?

Should this file include documentation about Composer security audits in the context of the releasing workflow?

Are the whitespace-only changes here the complete scope for this file, or are content updates expected?

Also applies to: 139-143, 148-170, 198-232, 275-282, 292-298

.vortex/docs/cspell.json (1)

12-12: LGTM!

Adding "GHSA" to the cspell dictionary is appropriate given the security advisory references in the new audit documentation.

.vortex/docs/content/drupal/composer.mdx (1)

229-245: LGTM!

The audit configuration documentation is clear and well-structured. The explanation of each option (block-insecure, abandoned, ignore) is helpful, and the cross-reference to the development guide for comprehensive guidance is appropriate.

.vortex/docs/content/workflows/development.mdx (1)

308-419: Comprehensive audit documentation with good security philosophy callout.

The new "Composer security auditing" section is well-structured with clear subsections covering configuration, use cases, ignoring advisories, manual auditing, and CI/CD integration. The :::warning block at lines 358–366 appropriately explains Vortex's security-first approach and when/how to override it, which directly addresses the security philosophy guidance flagged in past reviews.

.github/workflows/build-test-deploy.yml (1)

282-284: LGTM!

The CI step correctly executes composer audit inside the Docker container via docker compose exec -T cli, maintaining consistency with other Composer commands in the workflow. The variable reference for optional failure ignoring is properly implemented.

.vortex/docs/content/workflows/variables.mdx (1)

449-455: LGTM!

The variable documentation is consistent with the pattern established by other IGNORE_FAILURE variables and correctly positioned in the document. The description and default value are appropriate.

.vortex/docs/.utils/variables/extra/ci.variables.sh (1)

33-34: LGTM!

The environment variable is correctly defined with a sensible default (0 = fail on audit issues by default) and follows the established pattern in the file.

.circleci/config.yml (1)

289-291: LGTM!

The CircleCI audit step correctly executes composer audit in the Docker container and uses the OR logic with conditional check to handle optional failure ignoring. This is equivalent to the GitHub Actions continue-on-error approach and properly handles the variable with appropriate bash syntax.

docs/faqs.md (1)

130-147: ✅ Markdown link syntax is now correct; content is clear and helpful.

The new FAQ section appropriately addresses Composer 2.9.0's security blocking behavior with three practical options (update packages, run audit, adjust settings). The markdown link wrapping at line 145 now correctly uses link syntax instead of a bare URL, resolving the earlier MD034 linting issue.

Please verify that the documentation target URL (https://www.vortextemplate.com/docs/drupal/composer#config) exists and includes the audit configuration guidance (abandoned/report, block-insecure) as intended by the PR objectives. Since the Composer documentation file updates are mentioned in the PR objectives but not provided in this review, ensure the #config anchor section exists and is properly documented.

composer.json

github-project-automation bot added this to Vortex Nov 25, 2025

github-project-automation bot moved this to BACKLOG in Vortex Nov 25, 2025

github-actions bot assigned AlexSkrypnyk Nov 25, 2025

github-actions bot temporarily deployed to commit November 25, 2025 23:54 Inactive

coderabbitai bot reviewed Nov 25, 2025

View reviewed changes

.github/workflows/build-test-deploy.yml Outdated Show resolved Hide resolved

AlexSkrypnyk force-pushed the feature/2125-composer-security-block branch from 5f43196 to 57f62d1 Compare November 26, 2025 00:38

github-actions bot temporarily deployed to commit November 26, 2025 00:40 Inactive

coderabbitai bot reviewed Nov 26, 2025

View reviewed changes

.circleci/config.yml Outdated Show resolved Hide resolved

.vortex/docs/content/workflows/development.mdx Show resolved Hide resolved

docs/faqs.md Outdated Show resolved Hide resolved

AlexSkrypnyk force-pushed the feature/2125-composer-security-block branch from 57f62d1 to 6aa314b Compare November 26, 2025 00:46

github-actions bot temporarily deployed to commit November 26, 2025 00:49 Inactive

AlexSkrypnyk force-pushed the feature/2125-composer-security-block branch from 6aa314b to d2a1d00 Compare November 26, 2025 01:02

github-actions bot temporarily deployed to commit November 26, 2025 01:04 Inactive

AlexSkrypnyk force-pushed the feature/2125-composer-security-block branch from d2a1d00 to 5fe742d Compare November 26, 2025 01:13

github-actions bot temporarily deployed to commit November 26, 2025 01:16 Inactive

coderabbitai bot reviewed Nov 26, 2025

View reviewed changes

composer.json Show resolved Hide resolved

[#2125] Added support for Composer 2.9.0 automated security audit.

3e40569

AlexSkrypnyk force-pushed the feature/2125-composer-security-block branch from 5fe742d to 3e40569 Compare November 26, 2025 01:32

github-actions bot temporarily deployed to commit November 26, 2025 01:34 Inactive

AlexSkrypnyk enabled auto-merge (rebase) November 26, 2025 01:38

AlexSkrypnyk merged commit 9395f7f into develop Nov 26, 2025
28 checks passed

AlexSkrypnyk deleted the feature/2125-composer-security-block branch November 26, 2025 01:51

github-project-automation bot moved this from BACKLOG to Release queue in Vortex Nov 26, 2025

coderabbitai bot mentioned this pull request Nov 26, 2025

[#2106] Updated require-dev to use only necessary packages and updated PHPCS to v4 and Coder to v9. #2127

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[#2125] Added support for Composer 2.9.0 automated security audit. #2126

[#2125] Added support for Composer 2.9.0 automated security audit. #2126

Uh oh!

AlexSkrypnyk commented Nov 25, 2025 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Nov 25, 2025 •

edited

Loading

Uh oh!

coderabbitai bot left a comment

First, check file size and read the section around lines 145-146

Read lines 130-155 to see full context

Search for the specific URL to see all occurrences

Search for potential duplicate FAQ content about "Composer blocks package" or "security vulnerabilities"

Uh oh!

Uh oh!

codecov bot commented Nov 26, 2025 •

edited

Loading

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

[#2125] Added support for Composer 2.9.0 automated security audit. #2126

[#2125] Added support for Composer 2.9.0 automated security audit. #2126

Uh oh!

Conversation

AlexSkrypnyk commented Nov 25, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Poem

Pre-merge checks and finishing touches

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

First, check file size and read the section around lines 145-146

Read lines 130-155 to see full context

Search for the specific URL to see all occurrences

Search for potential duplicate FAQ content about "Composer blocks package" or "security vulnerabilities"

Uh oh!

Uh oh!

codecov bot commented Nov 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

AlexSkrypnyk commented Nov 25, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Nov 25, 2025 •

edited

Loading

codecov bot commented Nov 26, 2025 •

edited

Loading