From f7cb092c06a4a541d9862413dc77b6f393322ad7 Mon Sep 17 00:00:00 2001 From: Toon Verwerft Date: Thu, 16 May 2024 11:23:26 +0200 Subject: [PATCH] Activate composer audit by default (instead of roave security advisories) --- README.md | 22 +++++++++++++++++----- grumphp-convention.yml | 6 ++---- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6e6675b..86951d9 100644 --- a/README.md +++ b/README.md @@ -30,11 +30,7 @@ composer recipes composer recipes:install THE/DEPENDENCY --force -v ``` -### roave/security-advisories - -```bash -composer require --dev roave/security-advisories:dev-master -``` +### composer audit (security-advisories) ```yaml # grumphp.yaml @@ -42,6 +38,22 @@ parameters: run_security_advisories: true ``` +You might want to alter the default composer audit configuration in your local composer.json file. + +For example if you don't want to fail CI on usage of abandoned packages: + +```json +{ + "config": { + "audit": { + "abandoned": "report" + } + } +} +``` + +[See official docs for more information.](https://getcomposer.org/doc/06-config.md#audit) + ### phpstan/phpstan ```bash diff --git a/grumphp-convention.yml b/grumphp-convention.yml index ed507ff..dc5ec5f 100644 --- a/grumphp-convention.yml +++ b/grumphp-convention.yml @@ -3,7 +3,7 @@ parameters: stop_on_first_failure: false run_phpstan: false run_psalm: false - run_security_advisories: false + run_security_advisories: true grumhp_exec_command: kevin app php phpstan.level: "max" phpunit.parallel: true @@ -61,9 +61,7 @@ grumphp: phpcsfixer: config: ".php-cs-fixer.php" config_contains_finder: true - securitychecker_roave: - jsonfile: ./composer.json - lockfile: ./composer.lock + securitychecker_composeraudit: run_always: true metadata: enabled: "%run_security_advisories%"