PHPackages innobrain/composer-fix - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. innobrain/composer-fix ActiveComposer-plugin[Security](/categories/security) innobrain/composer-fix ====================== Fixes security vulnerabilities reported by composer audit by updating the affected packages. v0.1.0(yesterday)14↑2900%MITPHPPHP ^8.1 Since Jun 18Pushed yesterdayCompare [ Source](https://github.com/innobraingmbh/composer-fix)[ Packagist](https://packagist.org/packages/innobrain/composer-fix)[ RSS](/packages/innobrain-composer-fix/feed)WikiDiscussions main Synced today READMEChangelog (1)Dependencies (3)Versions (2)Used By (0) composer-fix ============ [](#composer-fix) A Composer plugin that fixes known vulnerabilities like `npm audit fix`: it audits installed packages and updates the ones with published advisories to a version that is no longer affected. Installation ------------ [](#installation) Install it globally so `composer fix` is available in every project: ``` composer global require innobrain/composer-fix ``` Composer will ask to allow the plugin the first time — confirm, or add it to `allow-plugins` in your global `composer.json`. Registers a single command, `composer fix`. Usage ----- [](#usage) ``` composer fix ``` Audits installed packages against your repositories' advisories (Packagist by default) and runs a targeted `composer update` on the affected ones, staying within your existing `composer.json` constraints. A package whose safe version is out of range is reported as still vulnerable rather than changed. ### Bumping constraints (`--force`) [](#bumping-constraints---force) ``` composer fix --force ``` Rewrites affected root constraints to the *lowest* safe version before updating — the smallest bump that removes the vulnerability, like `npm audit fix --force`. **Can introduce breaking changes**, so review the `composer.json` diff. The constraint is patch-level (e.g. `^5.4.20`) so it also excludes the vulnerable lower versions. ### Dry run [](#dry-run) ``` composer fix --dry-run ``` Shows the plan without touching `composer.json`, the lock file, or `vendor/`. ### Options [](#options) OptionDescription`--force`Bump constraints when the safe version is out of range.`--dry-run`Preview the plan without changing anything.`--no-dev`Ignore `require-dev` packages.`-w`, `--with-dependencies`Also update dependencies of affected packages (except root requirements).`-W`, `--with-all-dependencies`Also update dependencies of affected packages, including root requirements.`--ignore-unreachable`Ignore repositories that are unreachable or return a non-200.Pool-filtering plugins (e.g. soak-time) --------------------------------------- [](#pool-filtering-plugins-eg-soak-time) `composer fix` never picks a version another plugin would refuse to install. Both the update and `--force` selection go through Composer's normal pool creation (`PRE_POOL_CREATE`), so a plugin that prunes the pool — such as [soak-time](https://github.com/innobrain/soak-time) — also prunes what `composer fix` considers. If the only safe version is held back, `--force`reports it and leaves `composer.json` unchanged instead of bumping to a version that won't resolve. How it works ------------ [](#how-it-works) 1. Match installed packages against advisories via Composer's advisory API. 2. Build the list of affected packages. 3. With `--force`, resolve the lowest safe version of each affected root requirement and rewrite its constraint. 4. Run a targeted `composer update` on the affected packages. 5. Re-audit and report anything still vulnerable. Development ----------- [](#development) ``` composer install composer test ``` License ------- [](#license) MIT ### Health Score 38 — LowBetter than 83% of packages Maintenance100 Actively maintained with recent releases Popularity7 Limited adoption so far Community6 Small or concentrated contributor base Maturity32 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 1d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/beb1d357716423ec46cf7e3ff0827574b0e17a095bc2cd7b218bf5955056be9b?d=identicon)[innobrain](/maintainers/innobrain) --- Top Contributors [![kauffinger](https://avatars.githubusercontent.com/u/62616071?v=4)](https://github.com/kauffinger "kauffinger (3 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/innobrain-composer-fix/health.svg) ``` [![Health](https://phpackages.com/badges/innobrain-composer-fix/health.svg)](https://phpackages.com/packages/innobrain-composer-fix) ``` ### Alternatives [symfony/runtime Enables decoupling PHP applications from global state 74694.9M937](/packages/symfony-runtime)[drupal/core-composer-scaffold A flexible Composer project scaffold builder. 5344.1M526](/packages/drupal-core-composer-scaffold)[drupal/core-vendor-hardening Hardens the vendor directory for when it's in the docroot. 174.7M41](/packages/drupal-core-vendor-hardening)[drupal/core-project-message Adds a message after Composer installation. 2124.0M193](/packages/drupal-core-project-message)[drupal-composer/drupal-paranoia Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot. 642.2M3](/packages/drupal-composer-drupal-paranoia)[altis/core Core module for Altis 19222.5k2](/packages/altis-core) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)