diff --git a/README.md b/README.md index 67905642..ae75ab47 100644 --- a/README.md +++ b/README.md @@ -309,6 +309,7 @@ These tools can be set up globally using the `tools` input. It accepts a string - Input `tools` is useful to set up tools which are only used in CI workflows, thus keeping your `composer.json` tidy. - If you do not want to use all your dev-dependencies in workflow, you can run composer with `--no-dev` and install required tools using `tools` input to speed up your workflow. - By default, `COMPOSER_NO_INTERACTION` is set to `1` and `COMPOSER_PROCESS_TIMEOUT` is set to `0`. In effect, this means that Composer commands in your scripts do not need to specify `--no-interaction`. +- Also, `COMPOSER_NO_AUDIT` is set to `1`. So if you want to audit your dependencies for security vulnerabilities, it is recommended to add a `composer audit` step before you install them. ## :signal_strength: Coverage Support diff --git a/src/configs/composer.env b/src/configs/composer.env index f535d215..6335d612 100644 --- a/src/configs/composer.env +++ b/src/configs/composer.env @@ -1,2 +1,3 @@ COMPOSER_PROCESS_TIMEOUT=0 COMPOSER_NO_INTERACTION=1 +COMPOSER_NO_AUDIT=1