**Warning **⚠️
- Do NOT push the updated
composer.json to the production environment ! - You should only ignore security advisory on local development environment, NOT the production !
I got the following error when running ahoy build for a SaaS GovCMS client:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| > ahoy build
=> [cli 8/9] RUN mv /tmp/composer.json /app/composer.json
=> ERROR [cli 9/9] RUN rm composer.lock && composer install -d /app && composer clearcache 24.3s
=> CANCELED [nginx stage-1 3/3] COPY redirects-map.conf /etc/nginx/govcms-redirects-map.conf 0.7s
=> CANCELED [test stage-1 3/3] COPY tests /app/tests/ 0.7s
=> CANCELED [php] exporting to image 0.5s
=> => exporting layers 0.5s
------
> [cli 9/9] RUN rm composer.lock && composer install -d /app && composer clearcache:
0.370 No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
0.382 Gathering patches from patch file.
0.382 - Removing drupal/core (10.5.6)
0.382 Removing package drupal/core so that it can be re-installed and re-patched.
7.900 Deleting /app/web/core - deleted
7.907 > DrupalProject\composer\ScriptHa
|
According to the error, we can see it is caused by drupal/captcha[2.0.9] no being loaded because of a security advisory (potential vulnerability I assume), for local development purpose, we can ignore this via the following steps:
Firstly, amend your custom/composer/composer.json to add ignore the security advisory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| {
"name": "govcms/govcms-custom",
"description": "Provides additional packages over the GovCMS base distribution.",
"repositories": [],
+ "config": {
+ "audit": {
+ "ignore": ["SA-CONTRIB-2026-015"]
+ }
+ },
"require": {
"drupal/page_manager": "^4.0-rc2",
"drupal/adminimal_theme": "^1.7",
"drupal/panels": "4.9.0"
}
}
|
Secondly, amend your .docker/Dockerfile.cli such that the amended composer.json is included (thus the audit ignore will take effect):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| ARG CLI_IMAGE
ARG GOVCMS_IMAGE_VERSION=10.x-latest
FROM govcms/govcms:${GOVCMS_IMAGE_VERSION}
ARG GOVCMS_GITHUB_TOKEN
ENV WEBROOT=web
COPY themes/ /app/web/themes/custom
COPY config /app/config
# Default application favicon this will be used for files and server
# error pages all other favicon requests will be surfaced via Drupal.
COPY favicon.ico /app/web
# To enable SaaS+ uncomment these lines
RUN [ ! -z "$GOVCMS_GITHUB_TOKEN" ] \
&& composer config --global github-oauth.github.com $GOVCMS_GITHUB_TOKEN \
|| echo "skipping github token"
COPY custom /app/custom
- RUN jq -s '.[1].repositories = (.[0].repositories + .[1].repositories) | .[1]' /app/custom/composer/composer.json /app/composer.json > /tmp/composer.json
+ RUN jq -s '.[1].repositories = (.[0].repositories + .[1].repositories) | .[1].config = ((.[1].config // {}) + (.[0].config // {})) | .[1]' /app/custom/composer/composer.json /app/composer.json > /tmp/composer.json
RUN mv /tmp/composer.json /app/composer.json
- RUN rm composer.lock && composer install -d /app && composer clearcache
+ RUN rm -f /app/composer.lock && composer install -d /app && composer clearcache
|
Finally run ahoy build should yield no more error
(if you are still seeing pull access denied type of error, try running docker composer build cli && ahoy build)