Get "PHP 8 in a Nuthshell" (Soon includes PHP 8.4)
Amit Merchant

Amit Merchant

A blog on PHP, JavaScript, and more

Finding security vulnerabilities in packages using Composer Audit command

Using third-party packages is a great way to add/implement certain features in your projects. For instance, Composer is the de-facto way of installing third-party packages in PHP-based projects conveniently.

But this convenience comes at a cost. Since your project relies on the code which is written by someone else, this also means it would also bring in security vulnerabilities (if any) to your project. This could prove to be fateful for your project if it deals with sensitive information.

So, this is why it’s important to keep a check on installed packages and whether they have any security vulnerabilities or not.

To mitigate this, Composer 2.4.0 introduced a new command called composer audit that checks for known security vulnerabilities in installed packages.

It does this by using the “List security advisory” API provided by Packagist.

To get started, first, upgrade your Composer to use version 2.4.0. Since this version is still a release candidate at the moment, you need to use the following command to try it out.

$ composer self-update --preview

And then you can try using the composer audit command in your project like so.

$ composer audit

Here’s the output when I ran it in my Laravel project.

composer audit

As you can tell, currently there aren’t any security vulnerabilities in the packages I’m using.

But if there are any vulnerabilities, here’s what the output looks like.

composer audit showing security vulnerabilities

Like this article?

Buy me a coffee

👋 Hi there! I'm Amit. I write articles about all things web development. You can become a sponsor on my blog to help me continue my writing journey and get your brand in front of thousands of eyes.

Comments?