ci: disable composer audit block-insecure so the solver resolves

[stixx]

Summary

Composer 2.6+ refuses by default to install packages affected by security advisories, even when those packages are transitive dependencies the bundle cannot upgrade directly. As new advisories land on packages in our transitive graph (symfony/yaml via league/openapi-psr7-validator → devizzent/cebe-php-openapi, symfony/routing via nelmio/api-doc-bundle, and others), the Symfony 7.3 CI matrix hits "Your requirements could not be resolved" even though the bundle itself does not exercise the vulnerable code paths.

This PR sets config.audit.block-insecure: false so the solver stops refusing advisory-affected versions. composer audit remains fully functional and continues to list every advisory when invoked, so security review of the dependency tree is unaffected.

Why this approach over per-ID ignoring

The earlier draft of this PR added each advisory ID to audit.ignore with inline justifications. That works once but becomes a maintenance treadmill: each new advisory anywhere in the transitive graph requires a follow-up commit. As soon as the symfony/yaml entries cleared, a new advisory on symfony/routing started failing CI for the same structural reason. Disabling block-insecure removes the recurring bookkeeping while preserving honest audit visibility.

Mature OSS Symfony bundles with limited maintainer time (and broad transitive graphs) commonly use this same setting; it's the documented escape hatch in Composer's own error message: "To turn the feature off entirely, you can set 'block-insecure' to false in your 'audit' config."

What this PR does NOT change

• composer audit remains the source of truth for security review. The setting only stops the solver from refusing to install.
• Direct dependencies are unaffected — they continue to go through normal review when bumped.
• The bundle's runtime exposure is unchanged: the affected transitives (symfony/yaml, symfony/routing historical versions) are not in any code path the bundle ships.

Test plan

• Verified locally: SYMFONY_REQUIRE=7.3.* composer update --prefer-dist --no-progress --dry-run now resolves cleanly. Output reports Found N security vulnerability advisories affecting M packages instead of "could not be resolved".
• composer audit still reports every advisory when run explicitly.
• CI matrices to confirm post-merge: PHP 8.4/8.5 × Symfony 7.3/8.0 all green.

Compatibility

No runtime change. Only affects the composer install-time gate. Setting can be reverted if/when upstream cleans up.

[coderabbitai]

Warning

Rate limit exceeded

@stixx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 51 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 533a60e6-6e53-4abb-a42d-c53407e21d48

📥 Commits

Reviewing files that changed from the base of the PR and between ee40231 and 7b7ee10.

📒 Files selected for processing (1)

• composer.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/composer-audit-block-insecure-off

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}