Adobe Commerce Cloud deployment fails due to blocked Composer version

Adobe Commerce on Cloud deployments fail during the Composer build phase when a previously pinned Composer version becomes blocked by updated security advisories. The build stops before standard deployment processes complete, even without application changes. Updating the pinned Composer version in the configuration restores successful builds.

To resolve the issue, update the pinned Composer version and redeploy.

Description description

Environment

  • Adobe Commerce on Cloud
  • Cloud deployment builds using pinned Composer versions

Issue/Symptoms

  • Deployment fails during the Composer build or install phase
  • Previously successful deployments fail without application code changes
  • Build failure occurs before standard Adobe Commerce deployment steps complete
  • Build logs report blocked Composer versions affected by security advisories

Example error:

Your requirements could not be resolved to an installable set of packages.

Root composer.json requires composer/composer 2.2.27 (exact version match: 2.2.27 or 2.2.27.0), found composer/composer[ 2.2.27]  but these were not loaded, because they are affected by security advisories.

Go to https://packagist.org/security-advisories/ to find advisory details.

To ignore the advisories, add them to the audit "ignore" config.

To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Resolution resolution

  1. Review deployment logs and identify the blocked Composer version reported in the build output.

  2. Open the .magento.app.yaml file in the project repository.

  3. Locate the Composer dependency under the dependencies > php section. Example:

    code language-none
    dependencies:
      php:
        composer/composer: '2.2.27'
    
  4. Replace the blocked Composer version with a supported secure version compatible with the Adobe Commerce release. Example configurations: For Adobe Commerce 2.4.7 or later:

    code language-none
    dependencies:
      php:
        composer/composer: '2.9.8'
    

    For Adobe Commerce 2.4.5–2.4.6:

    code language-none
    dependencies:
      php:
        composer/composer: '2.2.28'
    
  5. Commit the configuration changes to the repository.

  6. Redeploy the environment.

  7. Verify that the Composer install phase completes successfully without security advisory errors.

recommendation-more-help
experience-cloud-kcs-help-kbarticles