From f842f629698128d8cb426e0f2dd4f1df7467d7e6 Mon Sep 17 00:00:00 2001
From: Alexandre Rulleau <alexandre.rulleau@datadoghq.com>
Date: Wed, 3 Jun 2026 17:24:52 +0200
Subject: [PATCH] fix(ci): skip composer advisory audit for framework
 integration test installs

A Packagist security advisory (PKSA-mdq4-51ck-6kdq / CVE-2026-48019, CRLF
injection in the default email validation rule) flags essentially all
Laravel framework versions this repo pins for integration tests
(>=9,<12.60.0 and >=13,<13.10.0). Composer's resolver refuses to load the
pinned versions, so every Laravel integration job fails during the composer
setup phase before any test runs.

These are intentionally pinned test fixtures, not shipped code, so disable
composer's resolver-level 'block-insecure' audit at the shared composer
invocation point (run_composer_with_retry). --no-audit only skips the
post-install audit report and does NOT lift the resolver block, so the
audit.block-insecure config must be set on the project being updated.

This is applied at the single shared point used by all framework/integration
composer installs, so it covers every affected Laravel version at once (and
harmlessly also covers other frameworks such as Symfony).
---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index 1f9328e630..36a2de54d4 100644
--- a/Makefile
+++ b/Makefile
@@ -1213,7 +1213,12 @@ MAX_RETRIES := 3
 RUN_WEB_BENCHES_WITH_DDPROF ?=
 
 # Note: The "composer show" command below outputs a csv with pairs of dependency;version such as "phpunit/phpunit;9.6.17"
+# Note: We disable composer's "block-insecure" audit so that pinned dependency versions flagged by a
+# security advisory (e.g. Laravel/framework PKSA-mdq4-51ck-6kdq / CVE-2026-48019) still resolve. These
+# are intentionally pinned test fixtures, not shipped code; --no-audit only skips the post-install report
+# and does NOT lift the resolver-level block, so the config must be set on the project being updated.
 define run_composer_with_retry
+	$(COMPOSER) --working-dir=$(if $1,$1,.) config audit.block-insecure false
 	for i in $$(seq 1 $(MAX_RETRIES)); do \
 		echo "Attempting composer update (attempt $$i of $(MAX_RETRIES))..."; \
 		$(COMPOSER) --working-dir=$(if $1,$1,.) update $2 && break || (echo "Retry $$i failed, waiting 5 seconds before next attempt..." && sleep 5); \