fix(ci): skip composer advisory audit for framework integration test installs

[Leiyks]

What broke

A Packagist security advisory PKSA-mdq4-51ck-6kdq / CVE-2026-48019 (CRLF injection in Laravel's default email validation rule, published ~2026-06-03) flags essentially all Laravel framework versions this repo pins for integration tests (affected ranges >=9,<12.60.0 and >=13,<13.10.0; Latest pins 12.44.0, plus the 9.x/10.x/11.x fixtures).

As a result, composer's resolver refuses to load the pinned versions and all Laravel integration jobs fail during the composer setup phase, before any test runs:

- Root composer.json requires laravel/framework 12.44.0 ... found laravel/framework[v12.44.0]
  but these were not loaded, because they are affected by security advisories ("PKSA-mdq4-51ck-6kdq").

This is an external/environmental break, not a code regression. We intentionally pin these Laravel versions as test fixtures, so we do not want to bump them.

The fix

Disable composer's resolver-level block-insecure audit at the single shared composer invocation point (run_composer_with_retry in the Makefile), by running composer config audit.block-insecure false on the project before composer update.

Note: --no-audit only skips the post-install audit report and does not lift the resolver block — verified in docker. The audit.block-insecure config must be set on the project being updated.

Because the change is at the shared point used by every framework/integration composer install, it unblocks all affected Laravel versions at once. It also harmlessly applies to other frameworks (Symfony, etc.) — acceptable for CI test fixtures.

Verification (docker, datadog/dd-trace-ci:php-8.3_bookworm-8, composer 2.9.8)

• Reproduced the exact failure: make tests/Frameworks/Laravel/Latest/composer.lock-php83 failed with the advisory resolver error; --no-audit did not clear it.
• With the fix: laravel/framework v12.44.0 resolves + installs, lock file and vendor/ created (the only remaining step that fails is the post-autoload-dump script reaching the mysql-integration host, expected without the full CI service network).
• Also confirmed older in-range fixture Laravel 10.x (laravel/framework 10.50.2) now installs cleanly.

[datadog-datadog-prod-us1-2]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 146 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | API unit tests: [7.0]     

See error

InvalidArgumentException: Setting audit.block-insecure does not exist or is not supported by this command.

DataDog/apm-reliability/dd-trace-php | API unit tests: [7.1]     

See error

InvalidArgumentException: Setting audit.block-insecure does not exist or is not supported by this command.

DataDog/apm-reliability/dd-trace-php | API unit tests: [7.2]     

See error

InvalidArgumentException: Setting audit.block-insecure does not exist or is not supported by this command.

View all 146 failed jobs.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 54.12% (+0.00%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f842f62 | Docs | Datadog PR Page | Give us feedback!}