From 0c99bfc8fd2724696cb54560daac1fe7787a4729 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Wed, 7 Feb 2024 11:37:50 +0100 Subject: [PATCH] Fix root aliases causing problems when auditing locked dependencies, fixes #11771 --- src/Composer/Repository/RepositorySet.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Composer/Repository/RepositorySet.php b/src/Composer/Repository/RepositorySet.php index 9940d0850..48cf424a4 100644 --- a/src/Composer/Repository/RepositorySet.php +++ b/src/Composer/Repository/RepositorySet.php @@ -30,6 +30,7 @@ use Composer\Semver\Constraint\Constraint; use Composer\Semver\Constraint\ConstraintInterface; use Composer\Package\Version\StabilityFilter; use Composer\Semver\Constraint\MatchAllConstraint; +use Composer\Semver\Constraint\MultiConstraint; /** * @author Nils Adermann @@ -245,7 +246,15 @@ class RepositorySet { $map = []; foreach ($packages as $package) { - $map[$package->getName()] = new Constraint('=', $package->getVersion()); + // ignore root alias versions as they are not actual package versions and should not matter when it comes to vulnerabilities + if ($package instanceof AliasPackage && $package->isRootPackageAlias()) { + continue; + } + if (isset($map[$package->getName()])) { + $map[$package->getName()] = new MultiConstraint([new Constraint('=', $package->getVersion()), $map[$package->getName()]], false); + } else { + $map[$package->getName()] = new Constraint('=', $package->getVersion()); + } } return $this->getSecurityAdvisoriesForConstraints($map, $allowPartialAdvisories);