Skip to content

Added audit ignore entries for advisories blocking Drupal core install.#2520

Merged
AlexSkrypnyk merged 4 commits into
mainfrom
feature/audit-ignore-cves
May 28, 2026
Merged

Added audit ignore entries for advisories blocking Drupal core install.#2520
AlexSkrypnyk merged 4 commits into
mainfrom
feature/audit-ignore-cves

Conversation

@AlexSkrypnyk

@AlexSkrypnyk AlexSkrypnyk commented May 28, 2026

Copy link
Copy Markdown
Member

Summary

drupal/core-recommended ~11.3.10 pins twig/twig to ~v3.26.0 and symfony/polyfill-intl-idn to ~v1.37.0. Both ranges resolve only to versions covered by open security advisories, while the fixed versions (twig/twig >=3.27.0 and symfony/polyfill-intl-idn >=1.38.1) fall outside the pinned constraints. As a result, composer audit --locked blocks composer install in CI. This PR adds a config.audit.ignore block to suppress those six advisories so Drupal core installs cleanly until upstream widens its constraints.

Changes

  • composer.json - added config.audit.ignore block with 6 entries: PKSA-dwsq-ppd2-mb1x (symfony/polyfill-intl-idn v1.37.0) and PKSA-1tmc-rt7x-12w6, PKSA-fbvq-z33h-r2np, PKSA-g9zw-qxh8-pq8w, PKSA-xx6c-6d96-db2w, PKSA-yd6k-t2gh-1m43 (all twig/twig v3.26.0); each entry documents the affected package, version, root cause, and forward-looking note.
  • .vortex/CLAUDE.md - promoted the "commit before ahoy update-snapshots" guidance to a HARD RULE at the top of the Cross-System Workflow section, and updated both the template-scripts and template-files checklists to make the commit step explicit and ordered.
  • Installer fixture snapshots - regenerated four fixtures under .vortex/installer/tests/Fixtures/handler_process/ (_baseline, hosting_acquia, hosting_project_name___acquia, starter_drupal_cms_profile) to reflect the new audit.ignore block in the baseline composer.json.

Before / After

# Before
"audit": {
    "abandoned": "report",
    "block-insecure": true
}

# After
"audit": {
    "ignore": {
        "PKSA-1tmc-rt7x-12w6": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-dwsq-ppd2-mb1x": "symfony/polyfill-intl-idn v1.37.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-fbvq-z33h-r2np": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-g9zw-qxh8-pq8w": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-xx6c-6d96-db2w": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-yd6k-t2gh-1m43": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix."
    },
    "abandoned": "report",
    "block-insecure": true
}

Related: #2518 (tracks removal once upstream fixes land).

Summary by CodeRabbit

  • Chores
    • Updated internal development workflow documentation with improved guidance on commit requirements before snapshot operations.
    • Added configuration to manage security advisories for certain dependencies awaiting upstream fixes.

Review Change Stack

@github-project-automation github-project-automation Bot moved this to BACKLOG in Vortex 1.x May 28, 2026
@AlexSkrypnyk AlexSkrypnyk added the Security Issue or a pull requests that address a security vulnerability label May 28, 2026
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5779531a-0765-449d-ba71-f58774578606

📥 Commits

Reviewing files that changed from the base of the PR and between 5fa4488 and 9a1ce23.

⛔ Files ignored due to path filters (4)
  • .vortex/installer/tests/Fixtures/handler_process/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
📒 Files selected for processing (2)
  • .vortex/CLAUDE.md
  • composer.json

Walkthrough

This PR makes two independent updates: it clarifies the development workflow by emphasizing that commits must precede snapshot regeneration in .vortex/CLAUDE.md, and it configures Composer to ignore known security advisories in Drupal core dependencies pending upstream patches in composer.json.

Changes

Workflow and Dependency Updates

Layer / File(s) Summary
Workflow guidance: commit-before-snapshots rule
.vortex/CLAUDE.md
Introduces a "HARD RULE" requiring commits before ahoy update-snapshots to ensure uncommitted changes (template scripts, configs, Dockerfiles, composer.json) are captured. The "updating template scripts" and "updating template files" workflows are reordered to place explicit commits before snapshot regeneration.
Security advisory configuration for Drupal dependencies
composer.json
Security advisory ignores are added for twig/twig v3.26.0 (via drupal/core-recommended ~11.3.10) and symfony/polyfill-intl-idn v1.37.0 (via drupal/core-recommended ~11.3.10), each annotated as awaiting upstream fixes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

Poem

🐰 A rabbit hops through code with care,
Commits before snapshots—the golden rule fair!
Advisories tucked in composer's safe keep,
Waiting for upstream fixes to reap. ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately describes the main change in the changeset: adding audit ignore entries to composer.json to address security advisories blocking Drupal core installation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/audit-ignore-cves

Comment @coderabbitai help to get the list of available commands and usage tips.

@AlexSkrypnyk AlexSkrypnyk added this to the 1.39.0 milestone May 28, 2026
@AlexSkrypnyk AlexSkrypnyk moved this from BACKLOG to In progress in Vortex 1.x May 28, 2026
@github-actions

Copy link
Copy Markdown

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@AlexSkrypnyk

This comment has been minimized.

2 similar comments
@AlexSkrypnyk

This comment has been minimized.

@AlexSkrypnyk

Copy link
Copy Markdown
Member Author

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@codecov

codecov Bot commented May 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.05%. Comparing base (5fa4488) to head (9a1ce23).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2520      +/-   ##
==========================================
- Coverage   86.50%   86.05%   -0.46%     
==========================================
  Files          93       86       -7     
  Lines        4661     4502     -159     
  Branches       47        3      -44     
==========================================
- Hits         4032     3874     -158     
+ Misses        629      628       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Security Issue or a pull requests that address a security vulnerability

Projects

Status: Released in 1.39.0

Development

Successfully merging this pull request may close these issues.

1 participant