PHPackages drupal-composer/drupal-security-advisories - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. drupal-composer/drupal-security-advisories AbandonedMetapackage[Security](/categories/security) drupal-composer/drupal-security-advisories ========================================== 8.x-dev(4y ago)512.2M↓23.7%19[6 issues](https://github.com/drupal-composer/drupal-security-advisories/issues)[3 PRs](https://github.com/drupal-composer/drupal-security-advisories/pulls)5GPL-2.0-or-laterPHP Since Jan 19Pushed 3mo ago5 watchersCompare [ Source](https://github.com/drupal-composer/drupal-security-advisories)[ Packagist](https://packagist.org/packages/drupal-composer/drupal-security-advisories)[ RSS](/packages/drupal-composer-drupal-security-advisories/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependenciesVersions (1)Used By (5) Drupal Security Advisories for Composer ======================================= [](#drupal-security-advisories-for-composer) This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Inspired by [Roave Security Advisories](https://github.com/Roave/SecurityAdvisories). [![Circle CI](https://camo.githubusercontent.com/1d5274eeaca7db797daea8d20d1a903ad0b60047af1068d5a500debb1dc20812/68747470733a2f2f636972636c6563692e636f6d2f67682f64727570616c2d636f6d706f7365722f64727570616c2d73656375726974792d61647669736f726965732f747265652f6d61696e2e7376673f7374796c653d737667)](https://circleci.com/gh/drupal-composer/drupal-security-advisories/tree/main) Deprecated ========== [](#deprecated) The project has been discontinued. The functions have been replaced by ‘composer audit’. Read the [related drupal.org issue](https://www.drupal.org/project/project_composer/issues/3301876) for more information. Installation ------------ [](#installation) ### Drupal 9+ ([composer.json](https://github.com/drupal-composer/drupal-security-advisories/blob/9.x/composer.json)) [](#drupal-9-composerjson) ``` ~$ composer require drupal-composer/drupal-security-advisories:9.x-dev ``` ### Drupal 7 ([composer.json](https://github.com/drupal-composer/drupal-security-advisories/blob/7.x/composer.json)) [](#drupal-7-composerjson) ``` ~$ composer require drupal-composer/drupal-security-advisories:7.x-dev ``` Usage ===== [](#usage) This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues. Stability ========= [](#stability) This package can only be required in its dev-\* version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense. This package is therefore only suited for installation in the root of your deployable project. Handling Failures ================= [](#handling-failures) In the rare event that a security release does not affect your project, and upgrading to latest release is undesireable, you can suppress a build failure by specifying a particular SHA project in composer.json. For example, assume that drupal/dynamic\_entity\_reference 8.1.0-beta2 just came out as a Security release. In order to keep using 8.1.0-beta1, you can specify the following in composer.json: ``` "require": { "drupal/dynamic_entity_reference": "dev-8.x-1.x#8713890" }, ``` Note: that this approach opts your package out of any future security releases. You can check for future security releases with `drush pm:security` (drush9) or `drush pm-updatestatus` (drush8). Sources ======= [](#sources) This packages gets information form Drupal.org APIs. Build command: `./build/build.sh` ### Health Score 41 — FairBetter than 89% of packages Maintenance50 Moderate activity, may be stable Popularity51 Moderate usage in the ecosystem Community23 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 92.5% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1580d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c711eb409734c42befd3bb9d507be67da46d0db9bd03c5172c8fe2da1705c239?d=identicon)[webflo](/maintainers/webflo) --- Top Contributors [![webflo](https://avatars.githubusercontent.com/u/123946?v=4)](https://github.com/webflo "webflo (62 commits)")[![weitzman](https://avatars.githubusercontent.com/u/7740?v=4)](https://github.com/weitzman "weitzman (4 commits)")[![grota](https://avatars.githubusercontent.com/u/403432?v=4)](https://github.com/grota "grota (1 commits)") ### Embed Badge ![Health badge](/badges/drupal-composer-drupal-security-advisories/health.svg) ``` [![Health](https://phpackages.com/badges/drupal-composer-drupal-security-advisories/health.svg)](https://phpackages.com/packages/drupal-composer-drupal-security-advisories) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)