PHPackages netresearch/composer-audit-responsibility - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Framework](/categories/framework) 4. / 5. netresearch/composer-audit-responsibility ActiveComposer-plugin[Framework](/categories/framework) netresearch/composer-audit-responsibility ========================================= Composer plugin implementing responsibility propagation for security audits — stops upstream/framework transitive dependency advisories from blocking library/extension CI 0.4.0(3mo ago)11.0k↓66.7%1[1 issues](https://github.com/netresearch/composer-audit-responsibility/issues)MITPHPPHP >=8.1CI passing Since Feb 18Pushed 1mo ago1 watchersCompare [ Source](https://github.com/netresearch/composer-audit-responsibility)[ Packagist](https://packagist.org/packages/netresearch/composer-audit-responsibility)[ Docs](https://github.com/netresearch/composer-audit-responsibility)[ RSS](/packages/netresearch-composer-audit-responsibility/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (5)Dependencies (6)Versions (11)Used By (0) Composer Audit Responsibility ============================= [](#composer-audit-responsibility) [![CI](https://github.com/netresearch/composer-audit-responsibility/actions/workflows/ci.yml/badge.svg)](https://github.com/netresearch/composer-audit-responsibility/actions/workflows/ci.yml)[![Latest Stable Version](https://camo.githubusercontent.com/d95fcd86b9a52d5c5b6dc9791c917dcb211395f78e18084cf9707c79e9d707d9/68747470733a2f2f706f7365722e707567782e6f72672f6e657472657365617263682f636f6d706f7365722d61756469742d726573706f6e736962696c6974792f76)](https://packagist.org/packages/netresearch/composer-audit-responsibility)[![License](https://camo.githubusercontent.com/d77bf772f2420846de105eadac8d41f19c948f2ccb89b58db09cade362d98529/68747470733a2f2f706f7365722e707567782e6f72672f6e657472657365617263682f636f6d706f7365722d61756469742d726573706f6e736962696c6974792f6c6963656e7365)](https://packagist.org/packages/netresearch/composer-audit-responsibility) A Composer plugin implementing **responsibility propagation** for security audits. Stops upstream/framework transitive dependency advisories from blocking your library, extension, or plugin CI — while keeping them visible in audit reports. The Problem ----------- [](#the-problem) Since Composer 2.9, [`block-insecure`](https://getcomposer.org/doc/06-config.md#block-insecure) defaults to `true`, blocking any package version with a security advisory during `composer update`, `require`, or `remove` (and `install` without a lock file, which triggers dependency resolution). For library/extension developers, this means: - Your **TYPO3 extension** requires `typo3/cms-core` for compatibility - `typo3/cms-core` transitively depends on `firebase/php-jwt` - When `firebase/php-jwt` gets a security advisory, **your CI breaks** - You have **no control** over this — you didn't choose `firebase/php-jwt` - The **TYPO3 team** is responsible for updating their framework dependencies This affects every framework ecosystem: Drupal modules, Symfony bundles, Laravel packages, WordPress plugins, Magento modules, Shopware plugins, and more. ### What People Do Today (and Why It's Bad) [](#what-people-do-today-and-why-its-bad) **1. Disable the security check entirely** ``` COMPOSER_NO_SECURITY_BLOCKING=1 composer update ``` This silences **all** advisories — including ones in your own dependencies that you *can* and *should* fix. You lose the safety net completely. A real vulnerability in a package you chose goes unnoticed. **2. Manually maintain `config.audit.ignore`** ``` { "config": { "audit": { "ignore": { "PKSA-y2cr-5h3j-g3ys": "firebase/php-jwt - framework dep", "CVE-2024-XXXXX": "some-other/lib - framework dep" } } } } ``` Every new advisory requires a manual commit to every affected repo. With dozens of extensions and frequent advisories, this becomes a constant maintenance burden. Worse: stale ignore entries accumulate and nobody reviews whether they're still needed — or whether they're now hiding a vulnerability in a package you *do* control. Both approaches share the same fundamental flaw: they treat security as all-or-nothing when the real question is **who is responsible for which dependency**. The Solution: Responsibility Propagation ---------------------------------------- [](#the-solution-responsibility-propagation) Security responsibility follows the dependency chain: RoleResponsible For**Extension/Plugin developer**Their direct dependencies**Framework team**Framework's transitive dependencies**Application/Project assembler**Everything (they ship the final product)This plugin automatically detects your framework dependencies and prevents their transitive security advisories from blocking dependency resolution (`composer update/require/remove`). Advisories are still **reported** — they just don't **block**. Installation ------------ [](#installation) This plugin must be installed **globally** — it needs to be loaded before your project's dependencies are resolved. ``` composer global config allow-plugins.netresearch/composer-audit-responsibility true composer global require netresearch/composer-audit-responsibility ``` ### CI Setup (GitHub Actions) [](#ci-setup-github-actions) Add this step after PHP setup and before `composer install`: ``` - name: Install audit-responsibility plugin run: | composer global config allow-plugins.netresearch/composer-audit-responsibility true composer global require netresearch/composer-audit-responsibility --no-interaction ``` No changes to your project's `composer.json` are needed. Configuration ------------- [](#configuration) ### Automatic Detection [](#automatic-detection) The plugin auto-detects your framework from the `type` field in `composer.json`: Package TypeDetected Framework`typo3-cms-extension``typo3/cms-core``symfony-bundle``symfony/framework-bundle`, `symfony/http-kernel``drupal-module``drupal/core``wordpress-plugin``johnpbloch/wordpress-core`, `roots/wordpress``magento2-module``magento/framework``shopware-platform-plugin``shopware/core``contao-bundle``contao/core-bundle``cakephp-plugin``cakephp/cakephp``neos-plugin``neos/neos``flow-package``neos/flow``oroplatform-bundle``oro/platform``silverstripe-vendormodule``silverstripe/framework``pimcore-bundle``pimcore/pimcore``laravel-package``laravel/framework``yii2-extension``yiisoft/yii2`### Explicit Configuration [](#explicit-configuration) For projects that use `type: library` or need custom upstream declarations: ``` { "extra": { "audit-responsibility": { "upstream": ["typo3/cms-core", "helhum/typo3-console"] } } } ``` ### Disable the Plugin per Project [](#disable-the-plugin-per-project) If you have the plugin installed globally but want a specific extension/library to opt out (i.e., have all advisories block normally): ``` { "extra": { "audit-responsibility": { "block-upstream": true } } } ``` > **Note:** Application projects (`type: project` or `type: library` without explicit `upstream` config) are never affected by this plugin — it only activates for framework-specific package types (extensions, bundles, modules, plugins). No configuration needed to exclude them. How It Works ------------ [](#how-it-works) 1. **Detection** — Identifies platform/framework packages from your `type` or explicit config 2. **Graph analysis** — Walks the dependency graph (BFS) to classify every package: - **Direct**: In your `require` — your responsibility - **Platform-only**: Only reachable through framework packages — framework's responsibility - **Shared**: Reachable through both your deps AND framework — your responsibility (conservative) - **User-transitive**: Only reachable through your non-framework deps — your responsibility 3. **Policy enforcement** — Platform-only advisories don't block; everything else still blocks normally ### The Diamond Problem [](#the-diamond-problem) When a package is reachable through both your dependencies AND the framework: ``` your-extension ├── typo3/cms-core → psr/log (platform path) └── my/logging-lib → psr/log (user path) ``` **Conservative rule**: If you have ANY dependency path to a package, it's your responsibility. `psr/log` blocks in this case because you chose `my/logging-lib` which also depends on it. Comparison with Alternatives ---------------------------- [](#comparison-with-alternatives) ApproachScopeMaintenanceVisibility`config.audit.ignore` per advisoryPer-advisoryUpdate for every new advisoryHidden`COMPOSER_NO_SECURITY_BLOCKING=1`All depsNoneHidden**This plugin**Framework deps onlyNone (auto-detected)PreservedRequirements ------------ [](#requirements) - PHP >= 8.1 - Composer >= 2.9 License ------- [](#license) MIT License. See [LICENSE](LICENSE) for details. Contributing ------------ [](#contributing) Contributions are welcome! Please open an issue or pull request on [GitHub](https://github.com/netresearch/composer-audit-responsibility). ### Health Score 35 — LowBetter than 80% of packages Maintenance66 Regular maintenance activity Popularity17 Limited adoption so far Community10 Small or concentrated contributor base Maturity39 Early-stage or recently created project Bus Factor1 Top contributor holds 85.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 6 Last Release 90d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/acffee6a64e18f21593794b335dd8786001148f7df89fd8372a54d3dd09d91a4?d=identicon)[netresearch](/maintainers/netresearch) --- Top Contributors [![CybotTM](https://avatars.githubusercontent.com/u/326348?v=4)](https://github.com/CybotTM "CybotTM (24 commits)")[![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4)](https://github.com/renovate[bot] "renovate[bot] (4 commits)") --- Tags auditcomposercomposer-plugindependency-managementdrupallaravelmagentophpresponsibility-propagationsecuritysupply-chain-securitysymfonytypo3wordpresssymfonyframeworklaravelwordpresssecuritydrupalmagentoAuditcomposer-plugintypo3responsibilityupstream ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/netresearch-composer-audit-responsibility/health.svg) ``` [![Health](https://phpackages.com/badges/netresearch-composer-audit-responsibility/health.svg)](https://phpackages.com/packages/netresearch-composer-audit-responsibility) ``` ### Alternatives [composer/installers A multi-framework Composer library installer 1.4k136.0M6.0k](/packages/composer-installers)[dragon-code/support Support package is a collection of helpers and tools for any project. 238.7M101](/packages/dragon-code-support)[wpbones/wpbones WordPress framework for Laravel developers 1714.8k1](/packages/wpbones-wpbones)[wpstarter/framework The WpStarter Framework - Laravel Framework for WordPress 1810.1k4](/packages/wpstarter-framework) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)