Activate composer audit by default (instead of roave security advisor…

…ies)
phpro · May 17, 2024 · f7cb092 · f7cb092
1 parent 87b8fe3
commit f7cb092
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -30,18 +30,30 @@ composer recipes
 composer recipes:install THE/DEPENDENCY --force -v
 ```
 
-### roave/security-advisories 
-
-```bash
-composer require --dev roave/security-advisories:dev-master
-```
+### composer audit (security-advisories)
 
 ```yaml 
 # grumphp.yaml
 parameters:
     run_security_advisories: true
 ```
 
+You might want to alter the default composer audit configuration in your local composer.json file.
+
+For example if you don't want to fail CI on usage of abandoned packages:
+
+```json
+{
+    "config": {
+        "audit": {
+            "abandoned": "report"
+        }
+    }
+}
+```
+
+[See official docs for more information.](https://getcomposer.org/doc/06-config.md#audit)
+
 ### phpstan/phpstan
 
 ```bash

diff --git a/grumphp-convention.yml b/grumphp-convention.yml
@@ -3,7 +3,7 @@ parameters:
     stop_on_first_failure: false
     run_phpstan: false
     run_psalm: false
-    run_security_advisories: false
+    run_security_advisories: true
     grumhp_exec_command: kevin app php
     phpstan.level: "max"
     phpunit.parallel: true
@@ -61,9 +61,7 @@ grumphp:
         phpcsfixer:
             config: ".php-cs-fixer.php"
             config_contains_finder: true
-        securitychecker_roave:
-            jsonfile: ./composer.json
-            lockfile: ./composer.lock
+        securitychecker_composeraudit:
             run_always: true
             metadata:
                 enabled: "%run_security_advisories%"