Unclear behavior for security-only updates, when 2 composer.json files in different folders are used

[DanielRuf]

How are you running Renovate?

Self-hosted Renovate

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

Gitea, latest renovate Docker image

Please tell us more about your question or problem

We have a PHP project where multiple folders have a composer.json file.

Interestingly for one of both renovate suggest an upgrade to symfony/process 7.0.0 and tries to change the selector to ^7.0 but that makes not much sense.

1. symfony/process versions starting with 7.0.0 are not compatible with the engine
2. the CPE of the security vulnerabilities say, that a 6.x version newer than 6.4.13 should fix the relevant issue

Configuration:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ],
  "packageRules": [
    {
      "enabled": false,
      "matchPackageNames": ["*"]
    }
  ],
  "vulnerabilityAlerts": {
    "labels": ["security"],
    "enabled": true
  },
  "osvVulnerabilityAlerts": true
}

Resulting CVE information: CVE-2024-51736 / GHSA-qq5c-677p-737q

Artifact failure results:

Command failed: composer update symfony/process:7.0.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires symfony/process ^7.0, found symfony/process[v7.0.0, ..., v7.3.0] but these were not loaded, likely because it conflicts with another require.
  Problem 2
    - horstoeko/zugferd is locked to version v1.0.113 and an update of this package was not requested.
    - horstoeko/zugferd v1.0.113 requires symfony/process ^5|^6|^7 -> found symfony/process[v5.0.0, ..., v5.4.47, v6.0.0, ..., v6.4.20, v7.0.0, ..., v7.3.0] but these were not loaded, likely because it conflicts with another require.
  Problem 3
    - friendsofphp/php-cs-fixer is locked to version v3.75.0 and an update of this package was not requested.
    - friendsofphp/php-cs-fixer v3.75.0 requires symfony/process ^5.4 || ^6.4 || ^7.2 -> found symfony/process[v5.4.0, ..., v5.4.47, v6.4.0, ..., v6.4.20, v7.2.0, v7.2.4, v7.2.5, v7.3.0] but it conflicts with your temporary update constraint (symfony/process:7.0.0).
  Problem 4
    - horstoeko/zugferdvisualizer is locked to version v1.0.10 and an update of this package was not requested.
    - horstoeko/zugferd v1.0.113 requires symfony/process ^5|^6|^7 -> found symfony/process[v5.0.0, ..., v5.4.47, v6.0.0, ..., v6.4.20, v7.0.0, ..., v7.3.0] but these were not loaded, likely because it conflicts with another require.
    - horstoeko/zugferdvisualizer v1.0.10 requires horstoeko/zugferd ^1 -> satisfiable by horstoeko/zugferd[v1.0.113].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

Manual check locally:

.\composer.bat why-not symfony/process 7.0.0
psg/pipeline-planner dev-main requires symfony/process (^6.2)
f> riendsofphp/php-cs-fixer v3.75.0 requires symfony/process (^5.4 || ^6.4 || ^7.2)
symfony/process v7.0.0 requires php (>=8.2 but 8.1.2 is installed)

We have set the platform version for PHP to 8.1.2.

So why does renovate try to use symfony/process 7.0.0 and increase the SemVer selector ti the major version instead of staying on 6.x?

Logs (if relevant)

No response

[DanielRuf]

From the renovate output:

DEBUG: Setting allowed version >= 6.4.14 to fix vulnerability GHSA-qq5c-677p-737q in symfony/process 6.2.0 (repository=[redacted], baseBranch=dependency-updates)


{
"depType": "require",
"depName": "symfony/process",
"currentValue": "^6.2",
"lockedVersion": "6.4.20",
"datasource": "packagist",
"updates": [
{
"bucket": "major",
"newVersion": "7.0.0",
"newValue": "^7.0",
"releaseTimestamp": "2023-11-20T16:43:42.000Z",
"newVersionAgeInDays": 571,
"newMajor": 7,
"newMinor": 0,
"newPatch": 0,
"updateType": "major",
"isBreaking": true,
"isRange": true,
"branchName": "renovate/packagist-symfony-process-vulnerability"
}
],
"packageName": "symfony/process",
"versioning": "composer",
"warnings": [],
"sourceUrl": "https://github.com/symfony/process",
"registryUrl": "https://repo.packagist.org",
"homepage": "https://symfony.com",
"currentVersion": "6.4.20", <== so theoretically this update is not needed, but why the upgrade to v7 then?
"currentVersionTimestamp": "2025-03-10T17:11:00.000Z",
"currentVersionAgeInDays": 95,
"isSingleVersion": false,
"fixedVersion": "6.4.20" <== shouldn't this be used then? why is 7.0.0 still used, even if it does not fix the mentioned CVE?
},

[DanielRuf]

So why does renovate not skip the major upgrade, since it is not relevant for the security?
It seems so check for vulnerabilityFixStrategy set to lowest does not cover the case, where a non-vulnerable version is already used (or the currentVersion equals fixedVersion).