composer validate ignores --no-check-publish flag #12196
Description
My composer.json:
{
"type": "project",
"license": "proprietary",
"require": {
},
"require-dev": {
}
}Output of composer diagnose:
Checking composer.json: OK
Checking composer.lock: OK
Checking platform settings: OK
Checking git settings: OK git version 2.47.0
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking Composer version: OK
Checking Composer and its dependencies for vulnerabilities: FAIL
Audit found some issues:
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | high |
| CVE | CVE-2024-51736 |
| Title | CVE-2024-51736: Command execution hijack on Windows with Process class |
| URL | https://symfony.com/cve-2024-51736 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Composer version: 2.8.2
PHP version: 8.3.13
PHP binary path: /opt/homebrew/Cellar/php/8.3.13/bin/php
OpenSSL version: OpenSSL 3.3.2 3 Sep 2024
curl version: 8.10.1 libz 1.2.12 ssl OpenSSL/3.4.0 (SecureTransport)
zip: extension present, unzip present, 7-Zip not available
When I run this command:
composer validate --no-check-publish --strict -vvv
I get the following output:
Running 2.8.2 (2024-10-29 16:12:11) with PHP 8.3.13 on Darwin / 24.1.0
Reading ./composer.json (/Users/major/Code/company-project/composer.json)
Loading config file ./composer.json (/Users/major/Code/company-project/composer.json)
Checked CA file /opt/homebrew/etc/ca-certificates/cert.pem: valid
Executing command (/Users/major/Code/company-project): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Reading /Users/major/.composer/composer.json (/Users/major/.dotfiles/composer.json)
Loading config file /Users/major/.composer/composer.json (/Users/major/.dotfiles/composer.json)
Reading ./composer.lock (/Users/major/Code/company-project/composer.lock)
Reading /Users/major/Code/company-project/vendor/composer/installed.json
Reading /Users/major/.composer/vendor/composer/installed.json
Reading ./composer.json (/Users/major/Code/company-project/composer.json)
Reading ./composer.json (/Users/major/Code/company-project/composer.json)
Loading config file ./composer.json (/Users/major/Code/company-project/composer.json)
Executing command (.): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Reading /Users/major/.composer/composer.json (/Users/major/.dotfiles/composer.json)
Loading config file /Users/major/.composer/composer.json (/Users/major/.dotfiles/composer.json)
Reading ./composer.lock (/Users/major/Code/company-project/composer.lock)
Reading ./vendor/composer/installed.json (/Users/major/Code/company-project/vendor/composer/installed.json)
Reading /Users/major/.composer/vendor/composer/installed.json
Reading ./composer.lock (/Users/major/Code/company-project/composer.lock)
./composer.json is valid for simple usage with Composer but has
strict errors that make it unable to be published as a package
See https://getcomposer.org/doc/04-schema.md for details on the schema
# Publish warnings
- name : The property name is required
- description : The property description is required
And I expected this to happen:
I should get no publish errors, because I used --no-check-publish flag.