From 6353d20df21d10706fd0c5610665331cb93f9a54 Mon Sep 17 00:00:00 2001
From: Shivam Mathur <shivam_jpr@hotmail.com>
Date: Mon, 22 Aug 2022 09:46:12 +0530
Subject: [PATCH] Set COMPOSER_NO_AUDIT environment variable by default

---
 README.md                | 1 +
 src/configs/composer.env | 1 +
 2 files changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 67905642c..ae75ab479 100644
--- a/README.md
+++ b/README.md
@@ -309,6 +309,7 @@ These tools can be set up globally using the `tools` input. It accepts a string
 - Input `tools` is useful to set up tools which are only used in CI workflows, thus keeping your `composer.json` tidy.
 - If you do not want to use all your dev-dependencies in workflow, you can run composer with `--no-dev` and install required tools using `tools` input to speed up your workflow.
 - By default, `COMPOSER_NO_INTERACTION` is set to `1` and `COMPOSER_PROCESS_TIMEOUT` is set to `0`. In effect, this means that Composer commands in your scripts do not need to specify `--no-interaction`.
+- Also, `COMPOSER_NO_AUDIT` is set to `1`. So if you want to audit your dependencies for security vulnerabilities, it is recommended to add a `composer audit` step before you install them.
 
 ## :signal_strength: Coverage Support
 
diff --git a/src/configs/composer.env b/src/configs/composer.env
index f535d215a..6335d612a 100644
--- a/src/configs/composer.env
+++ b/src/configs/composer.env
@@ -1,2 +1,3 @@
 COMPOSER_PROCESS_TIMEOUT=0
 COMPOSER_NO_INTERACTION=1
+COMPOSER_NO_AUDIT=1