Skip to content

composer-update: opt-out for constraint widening (extra.vuln-scan.no-widen)#20

Merged
oxyc merged 1 commit into
masterfrom
feat/composer-update-no-widen
May 19, 2026
Merged

composer-update: opt-out for constraint widening (extra.vuln-scan.no-widen)#20
oxyc merged 1 commit into
masterfrom
feat/composer-update-no-widen

Conversation

@oxyc
Copy link
Copy Markdown
Member

@oxyc oxyc commented May 19, 2026

Summary

The composer-update action's two-step strategy (composer update -W, fall back to composer require -W per package) was silently widening explicitly-pinned constraints. Concrete damage seen in generoi/solarplexius after merging a vuln-scan auto-PR:

Package Constraint before Auto-PR set to Reverted in
wpackagist-plugin/woocommerce 10.0.2 (exact pin) ^10.7 solarplexius#81
wpackagist-plugin/tradedoubler-affiliate-tracker ^1.1 ^2.0 (major bump) same
wpackagist-plugin/facebook-for-woocommerce 3.4.6 (exact pin) bumped same
wpackagist-plugin/query-monitor ^3.3 ^4.0 (major bump) same

Root cause: composer require -W <pkg> without an explicit version replaces the existing constraint with ^<latest>. The fallback was designed to widen constraints for vulns the existing range can't reach (e.g., advisory <2.0.0 + pinned ^1.5 → widen to ^2), but it does so unconditionally for every package handed to it.

Change

Read extra.vuln-scan.no-widen from the project's composer.json and skip those packages in the require fallback. composer update (step 1) still runs on them — only the constraint-widening fallback is opt-outable.

Accepts both shapes:

"extra": {
  "vuln-scan": {
    "no-widen": {
      "wpackagist-plugin/woocommerce": "License-tested only against 10.0.x",
      "wpackagist-plugin/facebook-for-woocommerce": "Pinned for custom integration code"
    }
  }
}

or plain array if you don't want to document reasons inline:

"extra": { "vuln-scan": { "no-widen": ["wpackagist-plugin/woocommerce"] } }

Map form is recommended — values are free-text and exist for in-place documentation only (the action doesn't parse them).

Test plan

  • jq logic handles all three shapes: map → keys, array → values, missing → no output (default empty)
  • Follow-up PRs to add extra.vuln-scan.no-widen to projects with intentionally-pinned packages (solarplexius first)
  • Re-run vuln-scan on solarplexius after that lands; confirm the previously-widened packages are no longer in the auto-PR's diff
  • After merge: bump v2 tag/branch to propagate

🤖 Generated with Claude Code

@oxyc @claude
composer-update: opt-out for constraint widening
7996f1a 
The require-fallback in step 2 silently widens any constraint to the
latest stable. For exact pins ("10.0.2") and tight ranges ("^1.1")
that's destructive: the maintainer chose those constraints
deliberately (license compat, integration testing, major-bump
breakage). The pre-merged auto-update PR in solarplexius widened
woocommerce 10.0.2 → ^10.7 and tradedoubler ^1.1 → ^2.0 against the
team's intent.

Read extra.vuln-scan.no-widen from composer.json (map of pkg → reason,
or plain array of pkgs) and skip those packages in the require loop.
Step 1 (composer update, stays within constraints) still runs on them
— only the constraint-widening fallback is opt-outable.

Accepting both shapes (map / array) so projects can document reasons
inline (recommended) without forcing a schema migration on those that
just want the names.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@oxyc oxyc merged commit 1bc745b into master May 19, 2026
@oxyc oxyc deleted the feat/composer-update-no-widen branch May 19, 2026 14:54
This was referenced May 19, 2026
Merged
Closed
oxyc added a commit that referenced this pull request May 29, 2026
@oxyc @claude
fix(composer-update): reach 4-segment hotfixes for <= advisory bounds…
f1ae5f5 
… (+ test suite) (#35)

* test(composer-update): unit + integration tests; extract helpers to lib.sh

The composer-update logic had no tests and was fragile (every recent fix —
#20#31 — was a production-only discovery). Add a real test suite and make
the logic testable.

- Extract the helper functions (build_pkg_arg, build_widen_arg,
  find_direct_ancestors, loosen_constraint, is_still_vulnerable,
  expand_args_for, get_lock_version) from update.sh into a sourceable
  scripts/lib.sh. update.sh sources it; behavior is unchanged (the existing
  no-widen integration test still passes).

- Unit tests for the PHP helpers (the fragile version-range logic):
  - compute-min-safe-constraints: exclusive/inclusive bounds, missing version
    components, multi-range selection, no-entry fall-throughs.
  - is-still-vulnerable: in/out of range, multi-range, junk-input fail-safe.

- Unit tests for the bash helpers, each tied to the edge case it guards:
  #27 build_pkg_arg trailing newline, #29 build_widen_arg caret widen,
  #28 loosen_constraint, #22/#26 find_direct_ancestors BFS + expand_args_for.

- Integration tests driving the real update.sh with a fake composer:
  #24 downgrade revert, #21 dev-* revert, #23 per-package retry isolation,
  #20 no-widen honored as a JSON array. (Plus the existing no-widen test.)

- Fix surfaced by the tests: compute-min-safe-constraints emitted `[]` for an
  empty result, but update.sh string-indexes that map with `jq '.[$pkg]'`,
  which errors on a JSON array under `set -eo pipefail`. Encode as `{}`.

- CI: composer-update-tests.yml now sets up PHP and runs tests/run.sh.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(composer-update): inclusive-bound (<=) safe-version derivation skips 4-segment hotfixes

compute-min-safe-constraints derived ~X.Y.(Z+1) for a <=X.Y.Z advisory.
That skips a 4-segment hotfix like X.Y.Z.1, which is >X.Y.Z but
<X.Y.(Z+1): the constraint matched no published version, the update
no-opped, and the vuln went unpatched (no PR opened).

Real case: suomentyokalu / seo-by-rank-math, advisory <=1.0.271, fixed
in 1.0.271.1. The derived ~1.0.272 could not resolve.

Emit >X.Y.Z,<X.(Y+1).0 instead — a strict-greater lower bound that
matches the hotfix while still excluding the vulnerable boundary X.Y.Z,
still minor-capped. Teach loosen_constraint() and build_widen_arg() the
new range shape (major-cap widen/loosen, boundary stays excluded).

Tests: regression case asserting <=1.0.271 -> >1.0.271,<1.1.0 plus
Semver checks that 1.0.271.1 is reachable and 1.0.271 is excluded;
updated existing <= assertions; helper-fn coverage for the range shape.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: test <test@example.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oxyc