From 4e5be9ee7d924d8efc58d676439b0c7bd18a9ce4 Mon Sep 17 00:00:00 2001
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Fri, 12 Jan 2024 14:20:59 +0100
Subject: [PATCH] Emit warning instead of crashing on invalid security advisory
 API response, fixes #11767

---
 src/Composer/Repository/ComposerRepository.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/Composer/Repository/ComposerRepository.php b/src/Composer/Repository/ComposerRepository.php
index 68cf7bd60..ec244b129 100644
--- a/src/Composer/Repository/ComposerRepository.php
+++ b/src/Composer/Repository/ComposerRepository.php
@@ -709,8 +709,16 @@ class ComposerRepository extends ArrayRepository implements ConfigurableReposito
             $options['http']['content'] = http_build_query(['packages' => array_keys($packageConstraintMap)]);
 
             $response = $this->httpDownloader->get($apiUrl, $options);
+            $warned = false;
             /** @var string $name */
             foreach ($response->decodeJson()['advisories'] as $name => $list) {
+                if (!isset($packageConstraintMap[$name])) {
+                    if (!$warned) {
+                        $this->io->writeError('<warning>'.$this->getRepoName().' returned names which were not requested in response to the security-advisories API. '.$name.' was not requested but is present in the response. Requested names were: '.implode(', ', array_keys($packageConstraintMap)).'</warning>');
+                        $warned = true;
+                    }
+                    continue;
+                }
                 if (count($list) > 0) {
                     $advisories[$name] = array_filter(array_map(
                         static function ($data) use ($name, $create) {