Composer Concrete update fails 9.4.7 to 9.4.8

PATRICKKASIE · March 18, 2026, 1:46pm

This is a follow up from Composer Concrete update fails

I’ve tried using the command “composer update” but I get the following error:

I’ve tried this with both composer update as well as /usr/local/php83/bin/php83 /usr/local/bin/composer update which also gives that error.

This relates to the previous post because I’ve also tried implementing the suggestions on this github post. This also did not work.

This issue is unique to that website alone. I am not sure where that’s coming from and why other websites do not have this issue.

revee · March 18, 2026, 2:20pm

Hi,

In my websites, the composer updates work just fine so it’s probably possible to test them without bumping into this error.

The update in your case seems to be blocked because of a security advisory in firebase-jwt which is required by google/apiclient. This is not a Concrete requirement as far as I can tell (I don’t have it in any of my sites) so this seems to be specific to your application. You may need to :require a newer major of that.

There is also an advisory about svg-sanitize required by Concrete itself but that should be fixed when composer updates and realizes it doesn’t need to stick to 9.4.6 anymore.

As a temporary fix you can disable this (new) audit checking by composer, by adding:

"audit": {
      "block-insecure": false
}

..to the “config:” section of your composer.json.

I hope this helps!

Maurits.

PATRICKKASIE · March 18, 2026, 2:29pm

Thank you Revee. That indeed fixed it. This was unique to this website, other websites did not seem to have this issue, but it happened to be the first one I updated, leading me to believe something that isn’t true. I apologize for my harsh words, this was a me issue.