Add --no-audit to skip the security audit check for the PHP 8.2 PHPUnit#2372
Add --no-audit to skip the security audit check for the PHP 8.2 PHPUnit#2372mukeshpanchal27 wants to merge 2 commits intotrunkfrom
--no-audit to skip the security audit check for the PHP 8.2 PHPUnit#2372Conversation
mukeshpanchal27
added
Infrastructure
mukeshpanchal27
requested review from
felixarntz and
thelovekesh
as code owners
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## trunk #2372 +/- ##
=======================================
Coverage 69.17% 69.17%
=======================================
Files 90 90
Lines 7708 7708
=======================================
Hits 5332 5332
Misses 2376 2376
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR attempts to resolve a failing security audit check in the PHP 8.2 PHPUnit workflow by implementing two complementary approaches: adding an audit ignore configuration for a specific security advisory in composer.json, and adding the --no-audit flag to the problematic composer command in the GitHub Actions workflow.
Changes:
- Added audit ignore configuration in composer.json to suppress security advisory PKSA-z3gr-8qht-p93v
- Added
--no-auditflag to the PHP 8.2 composer require command in the test workflow
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| composer.json | Adds audit configuration to ignore security advisory PKSA-z3gr-8qht-p93v |
| .github/workflows/php-test-plugins.yml | Adds --no-audit flag to composer require command for PHP 8.2 PHPUnit installation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [ "${{ matrix.php }}" == "8.2" ]; then | ||
| # Version 2.1.0 of doctrine/instantiator started requiring PHP 8.4: <https://github.com/doctrine/instantiator/pull/148>. | ||
| composer require phpunit/phpunit:${{ matrix.phpunit }} "doctrine/instantiator:<2.1" --with-all-dependencies --ignore-platform-reqs | ||
| composer require phpunit/phpunit:${{ matrix.phpunit }} "doctrine/instantiator:<2.1" --with-all-dependencies --ignore-platform-reqs --no-audit |
There was a problem hiding this comment.
While the --no-audit flag is added for the PHP 8.2 composer require command, there's a composer update command on line 83 (just above this block) that runs for all PHP versions including 8.2 and may trigger the same security audit issue. If the audit.ignore configuration in composer.json doesn't prevent the audit from failing, the workflow might still fail at the composer update step before reaching this install step.
Verify that the audit.ignore configuration in composer.json properly handles the composer update command, or consider conditionally adding --no-audit to that command as well for PHP 8.2.
composer.json
Outdated
| }, | ||
| "audit": { | ||
| "ignore": [ | ||
| "PKSA-z3gr-8qht-p93v" | ||
| ] |
There was a problem hiding this comment.
The audit ignore configuration in composer.json combined with the --no-audit flag in the workflow creates an inconsistent approach to handling security audits. If the audit.ignore configuration is sufficient to suppress the advisory PKSA-z3gr-8qht-p93v globally, then the --no-audit flag in the workflow is unnecessary. Conversely, if --no-audit is needed, then this audit.ignore configuration may be redundant.
Consider using only one approach:
- If you want to suppress a specific advisory, use only the audit.ignore configuration in composer.json
- If you want to skip all audits for the PHP 8.2 case, use only the --no-audit flag in the workflow
The first approach is generally preferred as it's more targeted and doesn't skip all security audits.
| }, | |
| "audit": { | |
| "ignore": [ | |
| "PKSA-z3gr-8qht-p93v" | |
| ] |
composer.json
Outdated
| }, | ||
| "audit": { | ||
| "ignore": [ | ||
| "PKSA-z3gr-8qht-p93v" |
There was a problem hiding this comment.
The security advisory ID "PKSA-z3gr-8qht-p93v" is being ignored, but there is no accompanying comment or documentation explaining what this advisory is, why it's safe to ignore, or what the risk assessment was. This makes it difficult for future maintainers to understand whether this ignore should remain in place or be revisited when dependencies are updated.
Consider adding a comment above this configuration explaining:
- What package and vulnerability this advisory relates to
- Why it's acceptable to ignore this advisory
- Any related issue or PR links for context
| "PKSA-z3gr-8qht-p93v" | |
| { | |
| "advisory-id": "PKSA-z3gr-8qht-p93v", | |
| "reason": "Advisory applies only to a development-time dependency listed under require-dev and does not affect code shipped with this plugin. The team has accepted this limited risk and will revisit if the affected package is used at runtime.", | |
| "link": "https://github.com/WordPress/performance/issues" | |
| } |
Removed audit ignore configuration from composer.json.
1 participant
Summary
Fix issue https://github.com/WordPress/performance/actions/runs/21458842709/job/61828880918?pr=2365
Relevant technical choices
Use of AI Tools