PHPackages magento/composer-dependency-version-audit-plugin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. magento/composer-dependency-version-audit-plugin ActiveComposer-plugin[Utility & Helpers](/categories/utility) magento/composer-dependency-version-audit-plugin ================================================ Validating packages through a composer plugin 0.1.6(1y ago)4975.8k—3.4%7[8 issues](https://github.com/magento/composer-dependency-version-audit-plugin/issues)[2 PRs](https://github.com/magento/composer-dependency-version-audit-plugin/pulls)4OSL-3.0PHP Since Jun 14Pushed 1y ago7 watchersCompare [ Source](https://github.com/magento/composer-dependency-version-audit-plugin)[ Packagist](https://packagist.org/packages/magento/composer-dependency-version-audit-plugin)[ RSS](/packages/magento-composer-dependency-version-audit-plugin/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (5)Dependencies (3)Versions (5)Used By (4) Composer dependency version audit plugin ======================================== [](#composer-dependency-version-audit-plugin) This composer plugin is used to protect Adobe Commerce merchants from Dependency confusion attacks. It will detect when a public version of a package at packagist.org has a higher version than the one available from a private like repo.magento.com. When you try to install/update packages with composer, if it detects a potential issue, the plugin will give you a recommendation message and stop the process. By default the plugin will obey the stability configuration in the composer.json config file which is `stable` by default. If you would like to be covered for unstable versions of a package (dev, alpha, beta, RC), you can either change the `minimum-stability` level or explicit require a dev version or only betas with the version constraint for ex: ‘^1.0.2-beta1’ Installation ------------ [](#installation) ``` composer require magento/composer-dependency-version-audit-plugin ``` Usage ----- [](#usage) When you install/update composer, the composer plugin will stop the process if it detects a potential Dependency Confusion attack. In that case, composer install/update will fail with an error message similar to: ``` Higher matching version x.x.x of package/name was found in public repository packagist.org than x.x.x in private.repo. Public package might've been taken over by a malicious entity; please investigate and update package requirement to match the version from the private repository. ``` ### Health Score 36 — LowBetter than 82% of packages Maintenance19 Infrequent updates — may be unmaintained Popularity45 Moderate usage in the ecosystem Community26 Small or concentrated contributor base Maturity45 Maturing project, gaining track record Bus Factor1 Top contributor holds 72.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~427 days Total 4 Last Release 516d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/dbcf615f9bf1c6b766e11376c5e76245da3b22bfc132da6a85c1e185f31ddd26?d=identicon)[mage2-team](/maintainers/mage2-team) --- Top Contributors [![admanesachin](https://avatars.githubusercontent.com/u/40776763?v=4)](https://github.com/admanesachin "admanesachin (32 commits)")[![tranthienbinh1989](https://avatars.githubusercontent.com/u/4982945?v=4)](https://github.com/tranthienbinh1989 "tranthienbinh1989 (6 commits)")[![glo71317](https://avatars.githubusercontent.com/u/85922880?v=4)](https://github.com/glo71317 "glo71317 (2 commits)")[![nathanjosiah](https://avatars.githubusercontent.com/u/665104?v=4)](https://github.com/nathanjosiah "nathanjosiah (2 commits)")[![Atul-glo35265](https://avatars.githubusercontent.com/u/138226841?v=4)](https://github.com/Atul-glo35265 "Atul-glo35265 (1 commits)")[![mmansoor-magento](https://avatars.githubusercontent.com/u/5124019?v=4)](https://github.com/mmansoor-magento "mmansoor-magento (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/magento-composer-dependency-version-audit-plugin/health.svg) ``` [![Health](https://phpackages.com/badges/magento-composer-dependency-version-audit-plugin/health.svg)](https://phpackages.com/packages/magento-composer-dependency-version-audit-plugin) ``` ### Alternatives [roave/backward-compatibility-check Tool to compare two revisions of a public API to check for BC breaks 5953.3M56](/packages/roave-backward-compatibility-check)[vaimo/composer-patches Applies a patch from a local or remote file to any package that is part of a given composer project. Patches can be defined both on project and on package level. Optional support for patch versioning, sequencing, custom patch applier configuration and patch command for testing/troubleshooting added patches. 2994.3M16](/packages/vaimo-composer-patches)[magento/magento-composer-installer Composer installer for Magento modules 7523.3M318](/packages/magento-magento-composer-installer)[mglaman/composer-drupal-lenient 1317.4M15](/packages/mglaman-composer-drupal-lenient)[drupal/core-composer-scaffold A flexible Composer project scaffold builder. 5341.9M446](/packages/drupal-core-composer-scaffold)[drupal/core-project-message Adds a message after Composer installation. 2122.6M172](/packages/drupal-core-project-message) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)