Tinymce fails to load - security advisories (v2025)

sclg · June 7, 2026, 1:33pm

On compiling a previously working project...

Your requirements could not be resolved to an installable set of packages.
  Problem 1
    - Root composer.json requires tinymce/tinymce ^6.8.6, found tinymce/tinymce[6.8.6] but these were not loaded, because they are affected by security advisories ("]8;;https://github.com/advisories/GHSA-vg35-5wq7-3x7w\PKSA-k4d6-bt7k-7ddp]8;;\", "]8;;https://github.com/advisories/GHSA-v98h-vmpc-fpqv\PKSA-2v47-9p8y-4qt3]8;;\", "]8;;https://github.com/advisories/GHSA-q742-qvgc-gc2f\PKSA-rf1b-835f-6yyv]8;;\", "]8;;https://github.com/advisories/GHSA-mh5m-5hw4-5c69\PKSA-fp8q-vmhs-msy9]8;;\", "]8;;https://github.com/advisories/GHSA-5359-pvf2-pw78\PKSA-hdg2-6rxt-d4qn]8;;\"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
Error: Command failed: composer update -n --no-audit --ansi

Following an earlier post, I've added to composer.json the following ignore lines...

        "audit": {
            "ignore": [
                "PKSA-hdg2-6rxt-d4qn",
                "PKSA-8x19-j2j3-bn67",
				"PKSA-k4d6-bt7k-7ddp",
				"PKSA-2v47-9p8y-4qt3",
				"PKSA-rf1b-835f-6yyv",
				"PKSA-fp8q-vmhs-msy9"
            ]
        }

... but I still get exactly the same error.

Any suggestions?

mobhar · June 7, 2026, 1:49pm

Similar to: Error Generating Scripts (v2025) - #5 by mobhar

sclg · June 7, 2026, 2:10pm

I'm not clear how that helps. I can't require tinymce 7 as the licensing has changed.

What version should I be asking for?
(I've now got over 10 projects none of which will generate any more!!)

skidmarks · June 7, 2026, 2:39pm

appears we are also receive major failures on packages, added the recommended to the "ignore" but continue to get the errors regardless:

Problem 1
    - Root composer.json requires symfony/cache ~v7.3.0, found symfony/cache[v7.3.0, ..., v7.3.11] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-z7t6-zt6p-wtng") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 2
    - Root composer.json requires symfony/mime ~v7.3.0, found symfony/mime[v7.3.0, ..., v7.3.11] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-wtxr-p26d-nn42", "PKSA-2n2k-66v2-bwg3") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 3
    - Root composer.json requires symfony/http-foundation ~v7.3.0, found symfony/http-foundation[v7.3.0, ..., v7.3.11] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y6py-qpv1-h52p") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 4
    - Root composer.json requires symfony/routing ~v7.3.0, found symfony/routing[v7.3.0, ..., v7.3.10] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-bf7t-jnpz-492k", "PKSA-yc7t-91v9-99xs") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 5
    - Root composer.json requires symfony/mailer ~v7.3.0, found symfony/mailer[v7.3.0, ..., v7.3.10] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-28rh-rzzn-djk4") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 6
    - Root composer.json requires symfony/psr-http-message-bridge ~v7.3.0 -> satisfiable by symfony/psr-http-message-bridge[v7.3.0, v7.3.8, v7.3.10].
    - symfony/psr-http-message-bridge[v7.3.0, ..., v7.3.10] require symfony/http-foundation ^6.4|^7.0 -> found symfony/http-foundation[v6.4.0, ..., v6.4.41, v7.0.0, ..., v7.4.13] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y6py-qpv1-h52p") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 7
    - Root composer.json requires symfony/security-bundle ~v7.3.0 -> satisfiable by symfony/security-bundle[v7.3.0, ..., v7.3.10].
    - symfony/security-bundle[v7.3.0, ..., v7.3.10] require symfony/http-foundation ^6.4|^7.0 -> found symfony/http-foundation[v6.4.0, ..., v6.4.41, v7.0.0, ..., v7.4.13] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-y6py-qpv1-h52p") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 8
    - Root composer.json requires gedmo/doctrine-extensions ^3.17.0 -> satisfiable by gedmo/doctrine-extensions[3.17.0, ..., v3.22.0].
    - gedmo/doctrine-extensions[3.17.0, ..., v3.21.0] require symfony/cache ^5.4 || ^6.0 || ^7.0 -> found symfony/cache[v5.4.0, ..., v5.4.53, v6.0.0, ..., v6.4.41, v7.0.0, ..., v7.4.13] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-z7t6-zt6p-wtng") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
    - gedmo/doctrine-extensions v3.22.0 requires symfony/cache ^5.4 || ^6.4 || ^7.3 || ^8.0 -> found symfony/cache[v5.4.0, ..., v5.4.53, v6.4.0, ..., v6.4.41, v7.3.0, ..., v7.4.13, v8.0.0, ..., v8.1.0] but these were not loaded, because they are affected by security advisories. To ignore the advisories, add ("PKSA-z7t6-zt6p-wtng") to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

        "audit": {
		"block-insecure": false,
            "ignore": [
                "PKSA-y6py-qpv1-h52p",
		"PKSA-z7t6-zt6p-wtng",
		"PKSA-wtxr-p26d-nn42",
		"PKSA-bf7t-jnpz-492k",
		"PKSA-fp8q-vmhs-msy9",
		"PKSA-yc7t-91v9-99xs",
		"PKSA-28rh-rzzn-djk4"
            ]
        },

mishanian · June 8, 2026, 12:07am

use this until they fix it,

"config": {
  ...
  "audit": {
    "block-insecure": false
  }
}

sclg · June 8, 2026, 9:30am

... doesn't work.

Support tells me that v6 is now end of life. Updating to v7 fixed the problem.