[UPMERGE] 1.0 -> 1.1 (#412)

Rafikooo · web-flow · commit 2953ab452127 · 2025-11-20T14:20:16.000+01:00
This PR has been generated automatically.
For more details see
[upmerge_pr.yaml](/Sylius/InvoicingPlugin/blob/1.0/.github/workflows/upmerge_pr.yaml).

**Remember!** The upmerge should always be merged with using `Merge pull
request` button.

In case of conflicts, please resolve them manually with usign the
following commands:
```
git fetch upstream
gh pr checkout &lt;this-pr-number&gt;
git merge upstream/1.1 -m "Resolve conflicts between 1.0 and 1.1"
```

If you use other name for the upstream remote, please replace `upstream`
with the name of your remote pointing to the `Sylius/InvoicingPlugin`
repository.

Once the conflicts are resolved, please run `git merge --continue` and
push the changes to this PR.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -197,7 +197,7 @@ jobs:
 
             -
                 name: Run security check
-                run: symfony security:check
+                run: composer audit --abandoned=ignore
 
             -
                 name: Run PHPStan
diff --git a/AUDIT-IGNORE.md b/AUDIT-IGNORE.md
@@ -0,0 +1,21 @@
+# AUDIT-IGNORE
+
+This document explains why specific advisories are added to `composer.json` → `config.audit.ignore`.
+
+**PKSA-gs8r-6kz6-pp56** — `api-platform/core` CVE-2025-31485; affected versions < 3.4.17, 4.0.0–4.0.21, 4.1.0–4.1.4 are pulled by Sylius dependency constraints. GraphQL property security grant caching issue allows unauthorized access.
+https://www.cve.org/CVERecord?id=CVE-2025-31485
+
+**PKSA-gnn4-pxdg-q76m** — `api-platform/core` CVE-2025-31481; same affected versions as above. GraphQL security bypass via Relay `node` type allows unauthorized entity access.
+https://www.cve.org/CVERecord?id=CVE-2025-31481
+
+**PKSA-yhcn-xrg3-68b1** — `twig/twig` CVE-2024-45411; affected versions < 1.44.8, < 2.16.1, < 3.14.0 are pulled by Sylius dependency constraints. Sandbox security checks can be bypassed when templates are loaded in non-sandbox context before include().
+https://www.cve.org/CVERecord?id=CVE-2024-45411
+
+**PKSA-2wrf-1xmk-1pky** — `twig/twig` CVE-2024-51755; affected versions < 3.11.2 or 3.12.0–3.14.0 are pulled by Sylius dependency constraints. Unguarded `__isset()` and array-access in sandbox allows attribute access on Array-like objects.
+https://www.cve.org/CVERecord?id=CVE-2024-51755
+
+**PKSA-365x-2zjk-pt47** — `symfony/http-foundation` CVE-2025-64500; affected versions < 5.4.50, < 6.4.29, < 7.3.7 are pulled by Sylius dependency constraints. Incorrect parsing of PATH_INFO can lead to limited authorization bypass.
+https://www.cve.org/CVERecord?id=CVE-2025-64500
+
+**PKSA-4g5g-4rkv-myqs** — `enshrined/svg-sanitize` CVE-2025-55166; affected versions < 0.22.0 are pulled by Sylius 1.13.x dependency constraints (requires ^0.16). Attribute sanitization bypass allowing XSS via mixed-case attributes. Fixed in Sylius 1.14 by removing the dependency entirely.
+https://www.cve.org/CVERecord?id=CVE-2025-55166
diff --git a/composer.json b/composer.json
@@ -80,6 +80,16 @@
             "symfony/flex": true,
             "symfony/runtime": false,
             "symfony/thanks": false
+        },
+        "audit": {
+          "ignore": [
+            "PKSA-gs8r-6kz6-pp56",
+            "PKSA-gnn4-pxdg-q76m",
+            "PKSA-yhcn-xrg3-68b1",
+            "PKSA-2wrf-1xmk-1pky",
+            "PKSA-365x-2zjk-pt47",
+            "PKSA-4g5g-4rkv-myqs"
+          ]
         }
     },
     "extra": {

Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,7 @@ jobs:`
`197`	`197`
`198`	`198`	`-`
`199`	`199`	`name: Run security check`
`200`		`- run: symfony security:check`
	`200`	`+ run: composer audit --abandoned=ignore`
`201`	`201`
`202`	`202`	`-`
`203`	`203`	`name: Run PHPStan`