PHPackages cs278/composer-audit - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. cs278/composer-audit ActiveComposer-plugin[Security](/categories/security) cs278/composer-audit ==================== Audit your Composer dependencies for security vulnerabilities. v1.4.3(6mo ago)891.9k↓19.4%1[2 issues](https://github.com/cs278/composer-audit/issues)MITPHPPHP >= 7.2CI passing Since Oct 20Pushed 6mo ago1 watchersCompare [ Source](https://github.com/cs278/composer-audit)[ Packagist](https://packagist.org/packages/cs278/composer-audit)[ RSS](/packages/cs278-composer-audit/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (8)Versions (18)Used By (0) Composer Audit ============== [](#composer-audit) Audit your Composer dependencies for security vulnerabilities, uses data from [FriendsOfPHP/security-advisories](https://github.com/FriendsOfPHP/security-advisories). Compatible with Composer 1 and 2. This Composer plugin allows you to audit your dependencies for security vulnerabilities *without* sending your lock file to an [external service](https://security.symfony.com/) or using [closed source software](https://github.com/symfony/cli/issues/37). Note this command is *distinct* from the `audit` command built into Composer ≥ 2.4. Installation ------------ [](#installation) This plugin can either be installed as a dependency in your project or “globally” so that it is always available on your machine. ### Install as a development dependency [](#install-as-a-development-dependency) ``` composer require --dev cs278/composer-audit ^1 ``` ### Install globally [](#install-globally) ``` composer global require cs278/composer-audit ^1 ``` Usage ----- [](#usage) ### Audit dependencies [](#audit-dependencies) This will audit all locked dependencies from `composer.lock`. If your package does not have a `composer.lock` file (e.g. because it’s a library) the installed packages, located in `vendor/composer/installed.json`will be validated instead. ``` composer security-audit ``` ### Audit non development dependencies [](#audit-non-development-dependencies) Only audit your production dependencies from `composer.lock`, this option only works when there is a `composer.lock` file. ``` composer security-audit --no-dev ``` ### Update security advisories database [](#update-security-advisories-database) You can force an update of the security advisories database using the `--update`option, without this option being supplied the database will be downloaded if it does not exist or it’s more than an hour old. For example: ``` composer security-audit --update ``` Configuration ------------- [](#configuration) Composer Audit can be configured using the [`extra`](https://getcomposer.org/doc/04-schema.md#extra) property in your `composer.json` file, all configuration should be supplied under the `composer-audit` key. ``` { ... "extra": { ... "composer-audit": { "option1": "super" }, ... }, ... } ``` ### Ignoring an advisory [](#ignoring-an-advisory) Currently only filtering advisories by CVE is possible, further options are planned. #### Ignoring an advisory by CVE [](#ignoring-an-advisory-by-cve) You are able to ignore warnings about an advisory by filtering based on its CVE reference, this is useful if you decide the risk is acceptable or not applicable and you cannot otherwise upgrade the package to resolve the problem. ``` { ... "extra": { ... "composer-audit": { "ignore": [ {"type": "cve", "value": "CVE-2000-1234567"}, {"type": "cve", "value": "CVE-2000-7654321"} ] }, ... }, ... } ``` Example ------- [](#example) ``` # Require a vulnerable package composer require symfony/http-foundation 2.0.4 # Require Composer Audit composer require --dev cs278/composer-audit ^1 composer security-audit Found 9 advisories affecting 1 package(s). composer://symfony/http-foundation (2.0.4) * Request::getClientIp() when the trust proxy mode is enabled * CVE-2012-6431: Routes behind a firewall are accessible even when not logged in * CVE-2013-4752: Request::getHost() poisoning * CVE-2014-5244: Denial of service with a malicious HTTP Host header * CVE-2014-6061: Security issue when parsing the Authorization header * CVE-2015-2309: Unsafe methods in the Request class * CVE-2018-11386: Denial of service when using PDOSessionHandler * CVE-2018-14773: Remove support for legacy and risky HTTP headers * CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser ``` Hyperlinks will be rendered to the appropriate CVE and advisory where available. ### Health Score 46 — FairBetter than 93% of packages Maintenance63 Regular maintenance activity Popularity37 Limited adoption so far Community10 Small or concentrated contributor base Maturity58 Maturing project, gaining track record Bus Factor1 Top contributor holds 99.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~115 days Recently: every ~67 days Total 17 Last Release 186d ago PHP version history (2 changes)v1.0.0-alpha1PHP >= 7.1 v1.4.0PHP >= 7.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/bbd2c909c6fe4f925dc392240dccd12990b7b545a22af91ca6a4c22e9459f2d4?d=identicon)[cs278](/maintainers/cs278) --- Top Contributors [![cs278](https://avatars.githubusercontent.com/u/17377?v=4)](https://github.com/cs278 "cs278 (106 commits)")[![denga](https://avatars.githubusercontent.com/u/251799?v=4)](https://github.com/denga "denga (1 commits)") --- Tags composer-pluginphp ### Embed Badge ![Health badge](/badges/cs278-composer-audit/health.svg) ``` [![Health](https://phpackages.com/badges/cs278-composer-audit/health.svg)](https://phpackages.com/packages/cs278-composer-audit) ``` ### Alternatives [enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[drupal/core-vendor-hardening Hardens the vendor directory for when it's in the docroot. 174.5M28](/packages/drupal-core-vendor-hardening)[craftcamp/php-abac Library used to implement Attribute-Based Access Control in a PHP application 987.1k2](/packages/craftcamp-php-abac)[mxr576/ddqg-composer-audit Drupal Dependency Quality Gate Composer Audit plugin 1056.7k2](/packages/mxr576-ddqg-composer-audit) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)