Skip to content

feat: warn about known security advisories before project creation#1006

Merged
Soner (shyim) merged 1 commit into
nextfrom
feat/project-create-security-advisory-check
May 12, 2026
Merged

feat: warn about known security advisories before project creation#1006
Soner (shyim) merged 1 commit into
nextfrom
feat/project-create-security-advisory-check

Conversation

@shyim

@shyim Soner (shyim) commented May 12, 2026

Copy link
Copy Markdown
Member

Summary

image
  • Fetches packagist security advisories for shopware/core and filters to the chosen version before any folder is created.
  • Renders a styled block listing severity, title, CVE, and link for each matching advisory.
  • Interactive mode prompts "Continue anyway?" — yes auto-enables --no-audit so composer install proceeds; no cancels.
  • Non-interactive mode aborts unless --no-audit was already passed.
  • Network errors are non-fatal (logged as a warning) so a packagist outage does not block project creation.

Test plan

  • go test ./internal/packagist/... ./cmd/project/...
  • shopware-cli project create test-vuln 6.6.10.14 (a version known to have advisories) — verify the styled block and the interactive prompt
  • Same command with --no-interaction — verify it aborts unless --no-audit is passed
  • shopware-cli project create test-clean latest — verify no advisory block appears for the latest version

Fetches packagist security advisories for the chosen shopware/core version
and prompts the user to continue (auto-enabling --no-audit so composer
install proceeds) or cancel. Non-interactive runs abort unless --no-audit
was explicitly passed.
@shyim Soner (shyim) force-pushed the feat/project-create-security-advisory-check branch from 1e9fc09 to bb70bca Compare May 12, 2026 09:08
@shyim Soner (shyim) merged commit 3c59d16 into next May 12, 2026
2 checks passed
@shyim Soner (shyim) deleted the feat/project-create-security-advisory-check branch May 12, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant