From 987fdf3c099c95de6b2fdcc59aa5ce8a1dd6fdaf Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Wed, 8 Jul 2026 02:26:08 -0600 Subject: [PATCH] fix: composer security audit blocked pinned shopware/core, bump to 6.7.12.1 Bootstrap died with exit 2 because Composer >= 2.9 enables audit.block-insecure by default: shopware/core v6.7.8.2 is now affected by 9 security advisories (all fixed in 6.7.10.1+), so 'composer create-project shopware/production:6.7.8.2' failed to resolve dependencies and the whole stack never started. - Bump the pinned Shopware version to 6.7.12.1 (latest, advisory-free). - Disable audit.block-insecure in the bootstrap's global composer config so advisories published after a version is pinned cannot brick fresh one-click deploys. - Use APP_URL=http://${main_domain} per template conventions; an https APP_URL breaks storefront sales-channel matching when the Dokploy domain is served over plain http. Verified on a Dokploy instance: full bootstrap + deployment-helper install completed in ~4 min, storefront and /admin both return HTTP 200. Co-Authored-By: Claude Fable 5 --- blueprints/shopware/docker-compose.yml | 6 +++++- blueprints/shopware/template.toml | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/blueprints/shopware/docker-compose.yml b/blueprints/shopware/docker-compose.yml index cbb518d7..95d5b101 100644 --- a/blueprints/shopware/docker-compose.yml +++ b/blueprints/shopware/docker-compose.yml @@ -110,7 +110,7 @@ services: <<: *shopware-env COMPOSER_ALLOW_SUPERUSER: "1" COMPOSER_HOME: "/tmp/composer" - SHOPWARE_VERSION: "${SHOPWARE_VERSION:-6.7.8.2}" + SHOPWARE_VERSION: "${SHOPWARE_VERSION:-6.7.12.1}" SHOPWARE_DOCKER_VERSION: "${SHOPWARE_DOCKER_VERSION:-0.3.0}" ENABLE_DEMO_DATA: "${ENABLE_DEMO_DATA:-1}" DEMO_DATA_VERSION: "${DEMO_DATA_VERSION:-2.1.0}" @@ -148,6 +148,10 @@ services: tmp_dir="$$(mktemp -d)" + # Composer >=2.9 refuses to install pinned versions that are affected by + # security advisories published later. Keep the pinned bootstrap deterministic. + composer config -g audit.block-insecure false 2>/dev/null || true + composer create-project --no-interaction --prefer-dist "shopware/production:${SHOPWARE_VERSION}" "$$tmp_dir" cd "$$tmp_dir" composer require --no-interaction "shopware/docker:${SHOPWARE_DOCKER_VERSION}" diff --git a/blueprints/shopware/template.toml b/blueprints/shopware/template.toml index b93259c7..487f82dc 100644 --- a/blueprints/shopware/template.toml +++ b/blueprints/shopware/template.toml @@ -1,6 +1,6 @@ [variables] main_domain = "${domain}" -app_url = "https://${main_domain}" +app_url = "http://${main_domain}" app_secret = "${hash:64}" instance_id = "${hash:32}" database_name = "shopware" @@ -13,7 +13,7 @@ lock_dsn = "redis://:${redis_password}@redis:6379/1" php_session_save_path = "tcp://redis:6379?auth=${redis_password}" install_admin_username = "admin" install_admin_password = "${password:20}" -shopware_version = "6.7.8.2" +shopware_version = "6.7.12.1" shopware_docker_version = "0.3.0" shopware_cli_image = "shopware/shopware-cli:0.14.3-php-8.4" shopware_base_image = "shopware/docker-base:8.4.19-nginx"