Twig released a security update, and core hasn't yet, therefore pinning an insecure version that composer blocks by default. Example: https://git.drupalcode.org/project/canvas/-/jobs/9892986 We have some SAs added to the default `composer.json` configuration here: https://git.drupalcode.org/project/gitlab_templates/-/blob/main/scripts/expand_composer_json.php?ref_type=heads#L234-244 ``` 'audit' => [ 'ignore' => [ // Add security advisory exceptions to allow legacy test coverage. // @see https://www.drupal.org/i/3564269 and https://blog.packagist.com/composer-2-9 // cspell:disable 'PKSA-yhcn-xrg3-68b1' => 'Drupal9.5 twig v2.15.4 to v2.15.6', 'PKSA-2wrf-1xmk-1pky' => 'Drupal9.5 twig v2.15.4 to v2.15.6', 'PKSA-6319-ffpf-gx66' => 'Drupal9.5 twig v2.15.4 to v2.15.6', 'PKSA-365x-2zjk-pt47' => 'Drupal 11.1 symfony/http-foundation >=2 <=7.3.7. CVE-2025-64500', 'PKSA-1gck-s111-yq7g' => 'Drupal 11.1 older versions of Composer < 2.9.3', // cspell:enable ], ``` The list can continue to grow and block things if the updates aren't coordinated (not just same day but around same time), so we should consider a global setting instead (mentioned here https://www.drupal.org/project/drupal/issues/3557585#comment-16367747). ## Proposed resolution If we set `COMPOSER_NO_SECURITY_BLOCKING` to `1`, the blocking shouldn't happen and the above list can probably be removed.