PHPackages                             plan2net/typo3-update-check - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. plan2net/typo3-update-check

ActiveComposer-plugin[Security](/categories/security)

plan2net/typo3-update-check
===========================

A Composer plugin that checks for TYPO3 updates and provides detailed information about breaking changes and security updates

2.2.0(2w ago)207.2k↓26.5%GPL-2.0-or-laterPHPPHP &gt;=8.1CI passing

Since Jul 18Pushed 2w ago2 watchersCompare

[ Source](https://github.com/plan2net/typo3-update-check)[ Packagist](https://packagist.org/packages/plan2net/typo3-update-check)[ Docs](https://github.com/plan2net/typo3-update-check)[ RSS](/packages/plan2net-typo3-update-check/feed)WikiDiscussions main Synced 3d ago

READMEChangelog (7)Dependencies (19)Versions (11)Used By (0)

TYPO3 Update Check
==================

[](#typo3-update-check)

[![CI](https://github.com/plan2net/typo3-update-check/actions/workflows/ci.yml/badge.svg)](https://github.com/plan2net/typo3-update-check/actions/workflows/ci.yml)[![Latest Version](https://camo.githubusercontent.com/57dd7aa62230e6a263014ca244864731ea26221239965cebf322fcc2d812d7cc/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f706c616e326e65742f7479706f332d7570646174652d636865636b3f6c6162656c3d6c6174657374)](https://packagist.org/packages/plan2net/typo3-update-check)[![PHP Version](https://camo.githubusercontent.com/56cbbb2166a757dee95b018903c2b351501ada3bbb6a32a42edcb0e48b9ca657/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f706c616e326e65742f7479706f332d7570646174652d636865636b)](https://packagist.org/packages/plan2net/typo3-update-check)[![License](https://camo.githubusercontent.com/a1f336df96eb2496fb8cb9a462e2344a9d16e23f2283329772bd77661d93bfc7/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f706c616e326e65742f7479706f332d7570646174652d636865636b)](https://github.com/plan2net/typo3-update-check/blob/main/LICENSE)[![Downloads](https://camo.githubusercontent.com/d987fcdf859382aa1e591c84a4bb111836aa2e3f8722a321e53c1226b613e0b2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f706c616e326e65742f7479706f332d7570646174652d636865636b)](https://packagist.org/packages/plan2net/typo3-update-check)

A Composer plugin that intercepts TYPO3 core updates and displays breaking changes and security updates before proceeding.

Purpose
-------

[](#purpose)

Breaking changes and security fixes are easy to overlook when updating TYPO3. This plugin brings that information directly to your terminal the moment you run `composer update`, highlighting breaking changes (⚠️) and security updates (⚡) so you can make an informed decision before proceeding.

Installation
------------

[](#installation)

```
composer require --dev plan2net/typo3-update-check
composer config allow-plugins.plan2net/typo3-update-check true
```

Note

Composer 2.2+ requires plugins to be explicitly trusted. The second command adds the necessary entry to your `composer.json`. When running `composer require` interactively, Composer will prompt you to allow the plugin — answering yes has the same effect.

Warning

Install this plugin as a development dependency only. It is only useful during development when running `composer update`; production deployments typically use `composer install` with locked versions. If you choose to install it in production environments, you do so at your own risk.

How it works
------------

[](#how-it-works)

The plugin automatically activates during `composer update` and:

1. **Detects TYPO3 core updates** — Monitors when `typo3/cms-core` is being updated
2. **Fetches release information** — Retrieves data from the TYPO3 API for all versions between current and target
3. **Matches security advisories** — Determines fixed vulnerabilities per release from the Packagist security-advisories API (the same data source as composer audit), including CVE numbers and severity levels (critical, high, medium, low)
4. **Displays important changes** — Shows each affected version's breaking changes and security updates, followed by a one-line digest (releases scanned, security updates with severity totals, breaking changes)
5. **Warns about skipped security fixes** — If the target lands below newer security releases, it lists them so you can raise your constraint
6. **Requests confirmation** — Prompts before proceeding when breaking changes or security updates are found

In non-interactive environments (CI/CD), the plugin displays information but proceeds automatically. If the TYPO3 API is temporarily unavailable, the update continues without interruption.

Major version upgrades
----------------------

[](#major-version-upgrades)

Cross-major updates (e.g. 12.4 → 13.4) are fully supported. Since a major upgrade path contains hundreds of breaking changes, the report switches to a condensed format:

- A banner announces the upgrade with links to the official upgrade guide and the changelog of every crossed major
- Breaking changes appear as a per-release count (e.g. `13.0.0: ⚠️ 207 breaking changes`) instead of a full list — security updates keep their complete detail (CVEs, severities, bulletins)
- Updates within a major line keep the detailed format as before
- A major upgrade always asks for confirmation in interactive shells, even when release information could not be fetched
- Jumping more than one major at once (e.g. 12 → 14) prints an additional warning, since TYPO3 officially supports upgrading one major version at a time

Example output
--------------

[](#example-output)

A regular update within a major version:

[![Demo](documentation/demo-89177017.gif)](documentation/demo-89177017.gif)

A major version upgrade — the report condenses breaking changes to a count and leads with an upgrade banner:

[![Major version upgrade](documentation/demo-major.gif)](documentation/demo-major.gif)

Manual check
------------

[](#manual-check)

You can check for breaking changes and security updates between any two versions without running an actual update:

```
composer typo3:check-updates 13.4.10 13.4.12
```

Both arguments are optional. With no arguments it uses your installed `typo3/cms-core` version and the latest release in that line; with only the first it defaults the target to the latest:

```
composer typo3:check-updates             # installed version → latest release
composer typo3:check-updates 13.4.10     # 13.4.10 → latest release
composer typo3:check-updates 12.4.10 13.4.5   # across major versions
```

Note

Defaults always stay within the installed major line — a cross-major check happens only when you pass the target explicitly. For an unknown cross-major target, the command offers the latest release of the requested major's line.

When a version is auto-detected or defaulted, the command asks for confirmation before checking. If you pass a target that doesn't exist, it offers the latest instead; an unknown current version (or missing versions in a non-interactive shell) is rejected with a hint.

[![Demo](documentation/check-updates-379da430.gif)](documentation/check-updates-379da430.gif)

Disabling the check
-------------------

[](#disabling-the-check)

Set the environment variable `TYPO3_UPDATE_CHECK=0` to skip the check, for a single run or permanently in environments where it is not wanted:

```
TYPO3_UPDATE_CHECK=0 composer update
```

The values `0`, `false`, `off`, and `no` (case-insensitive) are recognized. The manual `typo3:check-updates` command is not affected.

API availability
----------------

[](#api-availability)

The plugin tolerates transient TYPO3 API issues automatically:

- **Transient errors:** connection failures and HTTP 5xx responses are retried by Composer's own HTTP transport where it supports that (Composer ≥ 2.3 with ext-curl). On older Composer versions or the PHP-streams fallback, requests get a single attempt.
- **Rate limiting:** HTTP 429 responses are retried by the plugin itself — up to two retries with exponential backoff (1 s, 2 s), honoring the server's `Retry-After` header capped at 5 s.
- **No retry on deterministic errors:** HTTP 4xx responses other than 429 are treated as final and reported immediately.
- **Per-version reporting:** when only some versions fail to fetch, the others are still shown. Each failure is categorized — network error, server error, not found, or malformed response — and the plugin suggests retrying with `composer typo3:check-updates` for the skipped versions.
- **Fail-soft:** if every request fails, the plugin reports the dominant failure category and lets the update proceed so your development workflow is never blocked.

Downloads run through Composer's HTTP layer, so its parallelism setting (`COMPOSER_MAX_PARALLEL_HTTP`, default 12) applies.

Caching
-------

[](#caching)

API responses are cached to improve performance and reduce load on TYPO3 servers:

- **Location** — Composer's global cache directory (`~/.cache/composer` on Linux/macOS, `%LOCALAPPDATA%\Composer` on Windows)
- **Release lists** — 1 hour
- **Release content** — Permanent (content never changes)
- **Security advisories** — 1 hour

The cache is shared across all TYPO3 projects on the same machine.

Requirements
------------

[](#requirements)

- PHP 8.1+
- Composer 2.0+
- No third-party runtime dependencies (uses Composer's own HTTP layer)

License
-------

[](#license)

GPL-2.0+

###  Health Score

51

—

FairBetter than 95% of packages

Maintenance96

Actively maintained with recent releases

Popularity32

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity52

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~47 days

Recently: every ~8 days

Total

8

Last Release

19d ago

Major Versions

0.9.0 → 1.0.02025-10-26

1.3.0 → 2.0.02026-06-10

### Community

Maintainers

![](https://www.gravatar.com/avatar/f4ea950f22b43e010ba4f0a6effb0928a6a1d11f64d36cec0d030b757bdfa85e?d=identicon)[wazum](/maintainers/wazum)

![](https://www.gravatar.com/avatar/fdc5d7c9be0f04c0d84c56db1e263fb7cb88c40564a7c293f1a2d4aa543f0115?d=identicon)[plan2net@packagist](/maintainers/plan2net@packagist)

---

Top Contributors

[![wazum](https://avatars.githubusercontent.com/u/146727?v=4)](https://github.com/wazum "wazum (70 commits)")

---

Tags

composercomposer-pluginphpsecuritysecurity-advisoriestypo3typo3-cmsupdatessecurityupdatescomposer-plugintypo3

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/plan2net-typo3-update-check/health.svg)

```
[![Health](https://phpackages.com/badges/plan2net-typo3-update-check/health.svg)](https://phpackages.com/packages/plan2net-typo3-update-check)
```

###  Alternatives

[aws/aws-sdk-php

AWS SDK for PHP - Use Amazon Web Services in your PHP project

6.3k543.5M2.6k](/packages/aws-aws-sdk-php)[neuron-core/neuron-ai

The PHP Agentic Framework.

2.0k656.1k39](/packages/neuron-core-neuron-ai)[tencentcloud/tencentcloud-sdk-php

TencentCloudApi php sdk

3741.3M46](/packages/tencentcloud-tencentcloud-sdk-php)[akaunting/laravel-firewall

Web Application Firewall (WAF) package for Laravel

1.0k508.9k2](/packages/akaunting-laravel-firewall)[oro/platform

Business Application Platform (BAP)

645143.5k115](/packages/oro-platform)[jorijn/laravel-security-checker

Added Laravel functionality to the Enlightn Security Checker. Adds a command to check for, and optionally emails you, vulnerabilities when they affect you.

2111.9M1](/packages/jorijn-laravel-security-checker)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
