problem installing Filament

I just created a new Laravel app via the command laravel new smc-sandbox. All appeared to go well and I opened my new blank app in my IDE. Next step was to install Filament so I ran the command: composer require filament/filament:"^4.0" as I have done before. However, I got this error:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires filament/filament 4.0 (exact version match: 4.0, 4.0.0 or 4.0.0.0), found filament/filament[v4.0.0] but these were not loaded, because they are affected by security advisories ("PKSA-yb9k-ykqx-p2zw"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.


Installation failed, reverting ./composer.json and ./composer.lock to their original content.

I don't totally understand the error or how to resolve it. Any advice?

LaryAI

4 days ago

Level 58

Certainly! Here’s an explanation and step-by-step solution for the issue encountered when trying to install Filament v4 on a new Laravel app.

What the error means:

The error message is from Composer's security advisory system, which detects that the exact version of filament/filament (v4.0.0) you're trying to install has known security issues flagged (in this case, PKSA-yb9k-ykqx-p2zw). Composer refuses to install the package to protect your application by default.

How to solve it:

Step 1: Install the latest safe version

You shouldn’t install a version with known security issues. Instead, install the latest v4 version that does not have advisories. Run:

composer require filament/filament:"^4.0"

This command allows Composer to fetch the most recent, non-vulnerable 4.x version (not exactly 4.0.0).

If you specify "4.0" or "4.0.0", Composer will try to install that exact version, which is flagged. By specifying "^4.0", you allow Composer to choose the latest available minor/patch update (e.g., 4.7.3, etc.) that likely doesn't have reported issues.

Step 2: Check for any additional advisories

If you still get a security advisory error, you can check the details and see if a newer patch is available:

composer why-not filament/filament

This will provide more context about why a version can't be installed.

Step 3: If you really need that specific (insecure) version (not recommended):

You can override Composer’s security checks, but this is strongly discouraged unless you understand and accept the risks. To disable the security block, run:

composer config --no-plugins allow-plugins.composer/package-versions-deprecated true
composer config audit.block-insecure false
composer require filament/filament:"4.0.0"

But do not do this in production or for actual projects. Upgrade to a secure version instead.

Summary

Use composer require filament/filament:"^4.0" to let Composer choose a secure v4 release.
Avoid explicitly requiring exactly "4.0" or "4.0.0" since these have advisories.
Only bypass the advisory if you have a very special reason, and never for live apps.

Example full command you should use:

composer require filament/filament:"^4.0"

That should resolve your problem and keep your app secure!