diff --git a/Makefile b/Makefile
index 1f9328e630..36a2de54d4 100644
--- a/Makefile
+++ b/Makefile
@@ -1213,7 +1213,12 @@ MAX_RETRIES := 3
 RUN_WEB_BENCHES_WITH_DDPROF ?=
 
 # Note: The "composer show" command below outputs a csv with pairs of dependency;version such as "phpunit/phpunit;9.6.17"
+# Note: We disable composer's "block-insecure" audit so that pinned dependency versions flagged by a
+# security advisory (e.g. Laravel/framework PKSA-mdq4-51ck-6kdq / CVE-2026-48019) still resolve. These
+# are intentionally pinned test fixtures, not shipped code; --no-audit only skips the post-install report
+# and does NOT lift the resolver-level block, so the config must be set on the project being updated.
 define run_composer_with_retry
+	$(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false
 	for i in $$(seq 1 $(MAX_RETRIES)); do \
 		echo "Attempting composer update (attempt $$i of $(MAX_RETRIES))..."; \
 		$(COMPOSER) --working-dir=$(if $1,$1,.) update $2 && break || (echo "Retry $$i failed, waiting 5 seconds before next attempt..." && sleep 5); \