Mechanism to fix CVEs by the presence of another package (Shopware security plugin) #12628

amenk · 2025-11-20T09:43:12Z

amenk
Nov 20, 2025

In the Shopware ecosystem, there is the a security plugin which can be installed / updated via Composer to fix known vulnerabilities if an update of the core packages would be to risky or time consuming at that moment.

So what happens is, that we update the security plugin but composer update would still complain about the shopware/core CVEs, even they are patched by the plugin.

An idea would be that a composer package can provide a audit.fixes list so that CVEs in the core packages are automatically ignored. Currently it's necessary to do this manually in the root composer.json

Other options:

Of course this itself is some workaround already and I guess the plugin is meant mostly for stores which are not really fully composer managed and merchants update via the admin panel.
Shopware also could release patched core packages for each minor version, so there would be no need for the security plugin.

I am fully okay with a "won't implement" response, but wanted to bring this discussion on the table.

xabbuh · 2025-11-20T09:52:45Z

xabbuh
Nov 20, 2025

This looks like it requests the same as #12616 if I understand it correctly. Does the solution for that issue (see 632d1c3) help? Or is it taking that idea one step further?

1 reply

amenk Nov 20, 2025
Author

Ah interesting, I did not find this. But #12616 is more extreme as it aims on fully ignoring all CVEs for the core package.

stof · 2025-11-20T10:37:09Z

stof
Nov 20, 2025

This feature request won't work for the new block-insecure feature that blocks vulnerable packages during composer update due to a chicken-&-egg problem: the plugin will be installed as part of the dependency installation, and so cannot change the ignore rules applied in the PoolBuilder when starting the dependency resolution (which happens before the installation step)

0 replies

Seldaek · 2025-11-20T15:49:19Z

Seldaek
Nov 20, 2025
Maintainer

Shopware also could release patched core packages for each minor version, so there would be no need for the security plugin.

That would indeed be the preferable outcome here. Because ignoring all CVEs is now possible but a nasty hack.. And third party packages declaring ignores for CVEs also sounds like a bad idea (beyond the fact that as @stof said it isn't really possible to implement).

1 reply

amenk Nov 20, 2025
Author

that's what I wanted to hear :o)

ping @shyim from Shopware ;-)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Mechanism to fix CVEs by the presence of another package (Shopware security plugin) #12628

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Mechanism to fix CVEs by the presence of another package (Shopware security plugin) #12628

Uh oh!

amenk Nov 20, 2025

Replies: 3 comments · 2 replies

Uh oh!

xabbuh Nov 20, 2025

Uh oh!

amenk Nov 20, 2025 Author

Uh oh!

stof Nov 20, 2025

Uh oh!

Seldaek Nov 20, 2025 Maintainer

Uh oh!

amenk Nov 20, 2025 Author

amenk
Nov 20, 2025

Replies: 3 comments 2 replies

xabbuh
Nov 20, 2025

amenk Nov 20, 2025
Author

stof
Nov 20, 2025

Seldaek
Nov 20, 2025
Maintainer

amenk Nov 20, 2025
Author