Skip to main content

Check dependencies in PHP projects for vulnerabilities

This blog post might be outdated!
This blog post was published more than one year ago and might be outdated!
· One min read
Daniel Ruf

Composer 2.4 introduced a new command to check the dependencies in your projects for known vulnerabilities.

Before you want to use use the new composer audit command, you should verify that you use Composer 2.4 or newer by running composer --version.

If this shows a version number lower than 2.4, then an upgrade via composer self-update may be needed.

After this you can run composer audit --format plain which returns a list of known vulnerabilities, that affect your dependencies.

Found 1 security vulnerability advisory affecting 1 package:
Package: vendor-name/package-name
CVE: CVE-2022-12345
Title: This is just a placeholder
URL: https://example.com/advisory/2022-12-11
Affected versions: >=1.0.0,<1.0.1|>=2.0.0,<2.2.1
Reported at: 2022-12-11T01:23:45+00:00

In CI / CD setups you can also run composer audit as the returned exit code is the number of detected vulnerabilities.

The information comes from a special endpoint https://packagist.org/api/security-advisories/. As data sources GitHub Security Advisories and FriendsOfPHP/security-advisories are used.

For more information, check the following links:
https://blog.packagist.com/composer-2-4/
https://getcomposer.org/doc/03-cli.md#audit
https://php.watch/articles/composer-audit