My apologies in advance that this is another issue about security blocking introduced in 2.9. I have read some of the other closed issues and hope this adds something new to the discussion instead of rehashing old ground.

Similar to others we have had builds breaking due to the new automatic security blocking. In this instance one of the build steps involves running composer install when there is no composer.lock file, which now fails.

I attempted to add the env var COMPOSER_NO_SECURITY_BLOCKING to get the install to succeed, as works for composer update, but it is has no effect in this scenario.

Quoting from another issue:

The contract for composer install when there is no composer.lock file is that it will act as an alias for composer update,

It seems that when composer install with no lock file falls back to resolving dependencies it does not behave exactly the same, not taking into account environment variables that do affect the update command.