Merge 58acd4d into 1e056b7

composer.json

@@ -32,7 +32,7 @@
         "violinist-dev/slug-from-url": "^1",
         "violinist-dev/symfony-cloud-security-checker": "^2",
         "violinist-dev/timeframe-handler": "^1.0",
-        "violinist-dev/violinist-config": "^2.0",
+        "violinist-dev/violinist-config": "^2.1",
         "violinist-dev/violinist-messages": "^1.6.0",
         "wa72/simplelogger": "^1.0"
     },

src/CosyComposer.php

@@ -843,6 +843,16 @@ public function run()
         }
         // Only update the ones in the allow list, if indicated.
         $handler = AllowListHandler::createFromConfig($config);
+        if ($config->shouldAlwaysAllowDirect()) {
+            $require_list = [];
+            if (!empty($composer_json_data->require)) {
+                $require_list = array_keys(get_object_vars($composer_json_data->require));
+            }
+            if (!empty($composer_json_data->{'require-dev'})) {
+                $require_list = array_merge($require_list, array_keys(get_object_vars($composer_json_data->{'require-dev'})));
+            }
+            $handler = AllowListHandler::createFromArray(array_merge($require_list, $config->getAllowList()));
+        }
         $handler->setLogger($this->getLogger());
         $data = $handler->applyToItems($data);
         // Remove non-security packages, if indicated.

test/fixtures/composer.always_allow_direct_dependencies.json

@@ -0,0 +1,14 @@
+{
+    "require": {
+        "symfony/console": "v5.4.19"
+    },
+    "extra": {
+        "violinist": {
+            "always_allow_direct_dependencies": 1,
+            "check_only_direct_dependencies": 0,
+            "allow_list": [
+                "psr/cache"
+            ]
+        }
+    }
+}