Package greps the entire compser.json file, not just packages

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily

MIT License

2.7k stars 105 forks source link

Package greps the entire compser.json file, not just packages #94

Closed richard-hayes closed 2 years ago

richard-hayes commented 2 years ago

After the most recent commit (21d0504612c544af1d8ce000e5e0301aa8bbde7c), I noticed that the Laravel project that I was working on was being flagged with the following message: laravel/laravel is present at version 1.0.0+no-version-set and cannot be modified by Composer.

The issue ended up being that the first line of composer.json (name) was still set to 'laravel/laravel'. After changing the name value, it was no longer flagged. Is this expected behaviour?

Ocramius commented 2 years ago

Yes: SAT looks at a whole dependency graph, where the root package is also part of the dependency set.