Composer 2.4 introduced a new command to check the dependencies in your projects for known vulnerabilities.
Before you want to use use the new
composer audit command, you should verify that you use Composer 2.4 or newer by running
If this shows a version number lower than 2.4, then an upgrade via
composer self-update may be needed.
After this you can run
composer audit --format plain which returns a list of known vulnerabilities, that affect your dependencies.
Found 1 security vulnerability advisory affecting 1 package:
Title: This is just a placeholder
Affected versions: >=1.0.0,<1.0.1|>=2.0.0,<2.2.1
Reported at: 2022-12-11T01:23:45+00:00
In CI / CD setups you can also run
composer audit as the returned exit code is the number of detected vulnerabilities.