PHPackages                             cs278/composer-audit - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. cs278/composer-audit

ActiveComposer-plugin[Security](/categories/security)

cs278/composer-audit
====================

Audit your Composer dependencies for security vulnerabilities.

v1.4.3(7mo ago)898.4k↓39.8%1[2 issues](https://github.com/cs278/composer-audit/issues)MITPHPPHP &gt;= 7.2CI passing

Since Oct 20Pushed 7mo ago1 watchersCompare

[ Source](https://github.com/cs278/composer-audit)[ Packagist](https://packagist.org/packages/cs278/composer-audit)[ RSS](/packages/cs278-composer-audit/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (10)Dependencies (8)Versions (18)Used By (0)

Composer Audit
==============

[](#composer-audit)

Audit your Composer dependencies for security vulnerabilities, uses data from [FriendsOfPHP/security-advisories](https://github.com/FriendsOfPHP/security-advisories). Compatible with Composer 1 and 2.

This Composer plugin allows you to audit your dependencies for security vulnerabilities *without* sending your lock file to an [external service](https://security.symfony.com/) or using [closed source software](https://github.com/symfony/cli/issues/37).

Note this command is *distinct* from the `audit` command built into Composer ≥ 2.4.

Installation
------------

[](#installation)

This plugin can either be installed as a dependency in your project or “globally” so that it is always available on your machine.

### Install as a development dependency

[](#install-as-a-development-dependency)

```
composer require --dev cs278/composer-audit ^1
```

### Install globally

[](#install-globally)

```
composer global require cs278/composer-audit ^1
```

Usage
-----

[](#usage)

### Audit dependencies

[](#audit-dependencies)

This will audit all locked dependencies from `composer.lock`.

If your package does not have a `composer.lock` file (e.g. because it’s a library) the installed packages, located in `vendor/composer/installed.json`will be validated instead.

```
composer security-audit
```

### Audit non development dependencies

[](#audit-non-development-dependencies)

Only audit your production dependencies from `composer.lock`, this option only works when there is a `composer.lock` file.

```
composer security-audit --no-dev
```

### Update security advisories database

[](#update-security-advisories-database)

You can force an update of the security advisories database using the `--update`option, without this option being supplied the database will be downloaded if it does not exist or it’s more than an hour old. For example:

```
composer security-audit --update
```

Configuration
-------------

[](#configuration)

Composer Audit can be configured using the [`extra`](https://getcomposer.org/doc/04-schema.md#extra) property in your `composer.json` file, all configuration should be supplied under the `composer-audit` key.

```
{
    ...
    "extra": {
        ...
        "composer-audit": {
            "option1": "super"
        },
        ...
    },
    ...
}
```

### Ignoring an advisory

[](#ignoring-an-advisory)

Currently only filtering advisories by CVE is possible, further options are planned.

#### Ignoring an advisory by CVE

[](#ignoring-an-advisory-by-cve)

You are able to ignore warnings about an advisory by filtering based on its CVE reference, this is useful if you decide the risk is acceptable or not applicable and you cannot otherwise upgrade the package to resolve the problem.

```
{
    ...
    "extra": {
        ...
        "composer-audit": {
            "ignore": [
                {"type": "cve", "value": "CVE-2000-1234567"},
                {"type": "cve", "value": "CVE-2000-7654321"}
            ]
        },
        ...
    },
    ...
}
```

Example
-------

[](#example)

```
# Require a vulnerable package
composer require symfony/http-foundation 2.0.4

# Require Composer Audit
composer require --dev cs278/composer-audit ^1

composer security-audit
Found 9 advisories affecting 1 package(s).

composer://symfony/http-foundation (2.0.4)
* Request::getClientIp() when the trust proxy mode is enabled
* CVE-2012-6431: Routes behind a firewall are accessible even when not logged in
* CVE-2013-4752: Request::getHost() poisoning
* CVE-2014-5244: Denial of service with a malicious HTTP Host header
* CVE-2014-6061: Security issue when parsing the Authorization header
* CVE-2015-2309: Unsafe methods in the Request class
* CVE-2018-11386: Denial of service when using PDOSessionHandler
* CVE-2018-14773: Remove support for legacy and risky HTTP headers
* CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
```

Hyperlinks will be rendered to the appropriate CVE and advisory where available.

###  Health Score

44

—

FairBetter than 90% of packages

Maintenance57

Moderate activity, may be stable

Popularity37

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity58

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 99.1% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~115 days

Recently: every ~67 days

Total

17

Last Release

232d ago

PHP version history (2 changes)v1.0.0-alpha1PHP &gt;= 7.1

v1.4.0PHP &gt;= 7.2

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/17377?v=4)[Chris Smith](/maintainers/cs278)[@cs278](https://github.com/cs278)

---

Top Contributors

[![cs278](https://avatars.githubusercontent.com/u/17377?v=4)](https://github.com/cs278 "cs278 (106 commits)")[![denga](https://avatars.githubusercontent.com/u/251799?v=4)](https://github.com/denga "denga (1 commits)")

---

Tags

composer-pluginphp

### Embed Badge

![Health badge](/badges/cs278-composer-audit/health.svg)

```
[![Health](https://phpackages.com/badges/cs278-composer-audit/health.svg)](https://phpackages.com/packages/cs278-composer-audit)
```

###  Alternatives

[phpro/grumphp

A composer plugin that enables source code quality checks.

4.3k16.7M1.0k](/packages/phpro-grumphp)[oro/platform

Business Application Platform (BAP)

645143.5k115](/packages/oro-platform)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[rcsofttech/audit-trail-bundle

Enterprise-grade, high-performance Symfony audit trail bundle. Automatically track Doctrine entity changes with split-phase architecture, multiple transports (HTTP, Queue, Doctrine), and sensitive data masking.

1189.8k](/packages/rcsofttech-audit-trail-bundle)[altis/local-server

Local Server module for Altis

18221.6k3](/packages/altis-local-server)[lullabot/drainpipe

An automated build tool to allow projects to have a set standardized operations scripts.

43785.5k4](/packages/lullabot-drainpipe)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
