Skip to content

[#2518] Removed audit ignore entries for upstream-fixed 'twig/twig' and 'symfony/polyfill-intl-idn' CVEs.#2528

Merged
AlexSkrypnyk merged 2 commits into
mainfrom
feature/2518-clear-audit-ignore
May 29, 2026
Merged

[#2518] Removed audit ignore entries for upstream-fixed 'twig/twig' and 'symfony/polyfill-intl-idn' CVEs.#2528
AlexSkrypnyk merged 2 commits into
mainfrom
feature/2518-clear-audit-ignore

Conversation

@AlexSkrypnyk

@AlexSkrypnyk AlexSkrypnyk commented May 29, 2026

Copy link
Copy Markdown
Member

Closes #2518

Summary

Removes the six config.audit.ignore entries from composer.json that were suppressing PKSA advisories for twig/twig and symfony/polyfill-intl-idn. Those entries were necessary while drupal/core-recommended ~11.3.10 pinned twig/twig at v3.26.0 and symfony/polyfill-intl-idn at v1.37.0. With drupal/core-recommended ~11.3.11 (landed on main in #2524), the dependency graph now resolves twig/twig v3.27.0 and symfony/polyfill-intl-idn v1.38.1, both above the fix thresholds. The entire ignore map is dropped; abandoned: report and block-insecure: true are kept. Installer baseline snapshot and three derived fixtures are regenerated to reflect the structural change.

Changes

  • composer.json - Dropped the config.audit.ignore block (6 PKSA advisory suppressions); audit section retains abandoned and block-insecure settings.
  • .vortex/installer/tests/Fixtures/handler_process/_baseline/composer.json - Regenerated baseline snapshot; the ignore block is removed, matching the updated root composer.json.
  • .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/composer.json - Diff-header line numbers updated to account for the 8-line removal in the baseline.
  • .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/composer.json - Same mechanical line-number cascade as hosting_acquia.
  • .vortex/installer/tests/Fixtures/handler_process/starter_drupal_cms_profile/composer.json - Snapshot updated to reflect the absence of the ignore block and the cascaded line-number shifts.

Before / After

// Before
"audit": {
    "ignore": {
        "PKSA-1tmc-rt7x-12w6": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-dwsq-ppd2-mb1x": "symfony/polyfill-intl-idn v1.37.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-fbvq-z33h-r2np": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-g9zw-qxh8-pq8w": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-xx6c-6d96-db2w": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix.",
        "PKSA-yd6k-t2gh-1m43": "twig/twig v3.26.0 - required by drupal/core-recommended ~11.3.10, awaiting upstream fix."
    },
    "abandoned": "report",
    "block-insecure": true
}

// After
"audit": {
    "abandoned": "report",
    "block-insecure": true
}

Summary by CodeRabbit

  • Chores
    • Removed security advisory ignore configurations to streamline dependency settings.

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 29, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3bf57f8a-f562-485e-a33a-5d06b30ffc90

📥 Commits

Reviewing files that changed from the base of the PR and between ef6da21 and 3eb7d97.

⛔ Files ignored due to path filters (4)
  • .vortex/installer/tests/Fixtures/handler_process/_baseline/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
  • .vortex/installer/tests/Fixtures/handler_process/starter_drupal_cms_profile/composer.json is excluded by !.vortex/installer/tests/Fixtures/**
📒 Files selected for processing (1)
  • composer.json
💤 Files with no reviewable changes (1)
  • composer.json

Walkthrough

The PR removes temporary security advisory ignore entries from composer.json that were added as a workaround for unpatched CVEs in Drupal core dependencies. This cleanup reflects upstream fixes for twig/twig and symfony/polyfill-intl-idn now available through updated Drupal core constraints.

Changes

Audit ignore cleanup

Layer / File(s) Summary
Remove audit ignore entries
composer.json
The config.audit.ignore block containing six security advisory IDs for Twig (CVE-2026-48805, CVE-2026-48806, CVE-2026-48807, CVE-2026-48808) and symfony/polyfill-intl-idn (CVE-2026-46644, CVE-2026-46636) is removed. The remaining config.audit configuration (abandoned: "report", block-insecure: true) remains unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • drevops/vortex#2520: The main PR removes the composer.json config.audit.ignore advisory entries that were added for blocking Composer/Drupal core install, directly undoing the workaround configuration.

Suggested labels

Security

Poem

🐰 The audit list grows long with workarounds deep,
But upstream has fixed what kept us from sleep!
Out go the ignore blocks, no longer needed here,
Drupal core is patched—our dependencies are clear! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title directly and accurately describes the main change: removing audit ignore entries for specific CVEs that have been fixed upstream.
Linked Issues check ✅ Passed The pull request fulfills all coding objectives from issue #2518: removes six config.audit.ignore entries for twig/twig and symfony/polyfill-intl-idn CVEs, and updates installer snapshots/fixtures accordingly.
Out of Scope Changes check ✅ Passed All changes are in scope: composer.json audit.ignore block removal and regeneration of installer test fixtures are directly aligned with the stated objective of removing the temporary workaround.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/2518-clear-audit-ignore

Comment @coderabbitai help to get the list of available commands and usage tips.

@AlexSkrypnyk AlexSkrypnyk enabled auto-merge (squash) May 29, 2026 05:16
@github-actions

Copy link
Copy Markdown

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@AlexSkrypnyk

This comment has been minimized.

2 similar comments
@AlexSkrypnyk

This comment has been minimized.

@AlexSkrypnyk

Copy link
Copy Markdown
Member Author

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   98.53% (201/204)
Per-class coverage
Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)

@codecov

codecov Bot commented May 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.04%. Comparing base (c61fc07) to head (3eb7d97).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2528      +/-   ##
==========================================
- Coverage   86.49%   86.04%   -0.46%     
==========================================
  Files          94       87       -7     
  Lines        4674     4515     -159     
  Branches       47        3      -44     
==========================================
- Hits         4043     3885     -158     
+ Misses        631      630       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Released in 1.39.0

Development

Successfully merging this pull request may close these issues.

Remove audit ignore entries once upstream fixes 'symfony/polyfill-intl-idn' and 'twig/twig' CVEs land in Drupal core.

1 participant