Currently, every time a vulnerability is found, the whole installation ends up with an error and that stops the installation at this point. This becomes problematic e.g. in while deploying to Platform.sh as whenever the security-checker fails, the deploy fails as well.
Possible ideas on how to resolve the issue:
- removing "security-checker security:check": "script" from auto-scripts section and make a prominent recommendation for the developers to run it after completing eZ Platform installation,
- making sure that the security report is shown in case of detected vulnerabilities but not breaking the installation process (no error code).
The PR uses the 2nd approach above.
Steps to reproduce:
- Check out ezplatform v1.13.5, or v2.5.5, or v3.1.1
- composer install && echo "SUCCESS!"
- expected, pre fix: output about known vulnerabilities, no "SUCCESS!"
- expected, post fix: output about known vulnerabilities, and "SUCCESS!"