Adobe Commerce Cloud deployment fails due to blocked Composer version
Adobe Commerce on Cloud deployments fail during the Composer build phase when a previously pinned Composer version becomes blocked by updated security advisories. The build stops before standard deployment processes complete, even without application changes. Updating the pinned Composer version in the configuration restores successful builds.
To resolve the issue, update the pinned Composer version and redeploy.
Description description
Environment
- Adobe Commerce on Cloud
- Cloud deployment builds using pinned Composer versions
Issue/Symptoms
- Deployment fails during the Composer build or install phase
- Previously successful deployments fail without application code changes
- Build failure occurs before standard Adobe Commerce deployment steps complete
- Build logs report blocked Composer versions affected by security advisories
Example error:
Your requirements could not be resolved to an installable set of packages.
Root composer.json requires composer/composer 2.2.27 (exact version match: 2.2.27 or 2.2.27.0), found composer/composer[ 2.2.27] but these were not loaded, because they are affected by security advisories.
Go to https://packagist.org/security-advisories/ to find advisory details.
To ignore the advisories, add them to the audit "ignore" config.
To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
Resolution resolution
-
Review deployment logs and identify the blocked Composer version reported in the build output.
-
Open the
.magento.app.yamlfile in the project repository. -
Locate the Composer dependency under the
dependencies > phpsection. Example:code language-none dependencies: php: composer/composer: '2.2.27' -
Replace the blocked Composer version with a supported secure version compatible with the Adobe Commerce release. Example configurations: For Adobe Commerce 2.4.7 or later:
code language-none dependencies: php: composer/composer: '2.9.8'For Adobe Commerce 2.4.5–2.4.6:
code language-none dependencies: php: composer/composer: '2.2.28' -
Commit the configuration changes to the repository.
-
Redeploy the environment.
-
Verify that the Composer install phase completes successfully without security advisory errors.