date: 2026-06-12 tags: [composer, security, ci, sandbox, false-negative] status: active graduated_to:

The sandbox's `composer audit` is a false negative — a green local audit proves nothing

Symptom — #441 reported composer audit failing on the self-hosted CI runner (CVE-2026-45133, symfony/yaml), but composer audit ran clean in the web sandbox — seeming to say the bug was already fixed.

Root cause — composer audit queries the Packagist advisory database over the network. The sandbox has no outbound access to it, so audit returns "No security vulnerability advisories found" regardless of what's installed. The dependency was still the flagged version (symfony/yaml v8.1.0). Separately, the advisory's fixed-version list (…/8.0.12) over-matched the 8.1 branch, which already shipped the fix — so even the runner's failure was a false positive there.

Fix — verify a CVE claim from the installed source, not from a local audit: check the package version in composer.lock and confirm the fix is present (here, the Parser::DEFAULT_MAX_NESTING_LEVEL recursion guard, behaviourally probed). Resolution for #441 was a justified config.audit.ignore entry + SymfonyYamlNestingGuardTest pinning the guard, not a bump.

Guard — this learning + tests/Unit/SymfonyYamlNestingGuardTest.php. Treat a green sandbox composer audit as "unknown", never "safe"; the runner's audit is authoritative.

date: 2026-06-12 tags: [composer, security, ci, sandbox, false-negative] status: active graduated_to: ​

The sandbox's composer audit is a false negative — a green local audit proves nothing ​

date: 2026-06-12 tags: [composer, security, ci, sandbox, false-negative] status: active graduated_to:

The sandbox's `composer audit` is a false negative — a green local audit proves nothing