PHPackages roave/security-advisories - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. roave/security-advisories ActiveMetapackage[Security](/categories/security) roave/security-advisories ========================= Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M—1.4%109[1 PRs](https://github.com/Roave/SecurityAdvisories/pulls)20 Since Mar 26Pushed today71 watchersCompare [ Source](https://github.com/Roave/SecurityAdvisories)[ Packagist](https://packagist.org/packages/roave/security-advisories)[ RSS](/packages/roave-security-advisories/feed)WikiDiscussions latest Synced 1mo ago READMEChangelogDependenciesVersions (2)Used By (20) Roave Security Advisories ========================= [](#roave-security-advisories) A message to Russian 🇷🇺 people ------------------------------ [](#a-message-to-russian--people) If you currently live in Russia, please read [this message](./ToRussianPeople.md). [![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md) Help Palestine 🇵🇸 ----------------- [](#help-palestine-) [![ReadMeSupportPalestine](https://raw.githubusercontent.com/Safouene1/support-palestine-banner/master/banner-support.svg)](https://github.com/TheBSD/StandWithPalestine/blob/main/docs/README.md) ### Purpose [](#purpose) [![Hourly build](https://github.com/Roave/SecurityAdvisoriesBuilder/workflows/Hourly%20build/badge.svg?branch=latest)](https://github.com/Roave/SecurityAdvisoriesBuilder/actions?query=workflow%3A%22Hourly+build%22)[![Downloads](https://camo.githubusercontent.com/81ea1506fec7a312bcea5745a637f534b5eddb7a791c05de107687c38c724ccb/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f726f6176652f73656375726974792d61647669736f726965732e737667)](https://packagist.org/packages/roave/security-advisories) This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Tip Safety first, my friend! Help keep your supply chain secure with this library, but if you need an extra hand with updating dependencies, application security development, or anything else, [get in touch](https://roave.com/contact-us/). \- The Roave Team Installation ------------ [](#installation) ``` composer require --dev roave/security-advisories:dev-latest ``` Usage ----- [](#usage) This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues. Simply add `"roave/security-advisories": "dev-latest"` to your `composer.json` `"require-dev"` section and you will not be able to harm yourself with software with known security vulnerabilities. For example, try following: ``` composer require --dev roave/security-advisories:dev-latest # following commands will fail: composer require symfony/symfony:2.5.2 composer require zendframework/zendframework:2.3.1 ``` The checks are only executed when adding a new dependency via `composer require` or when running `composer update`: deploying an application with a valid `composer.lock` and via `composer install` won't trigger any security versions checking. > You can manually trigger a version check by using the `--dry-run` switch on an update while not doing anything. Running `composer update --dry-run roave/security-advisories` is an effective way to manually trigger a security version check. roave/security-advisories for enterprise ---------------------------------------- [](#roavesecurity-advisories-for-enterprise) Available as part of the Tidelift Subscription. The maintainers of roave/security-advisories and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more](https://tidelift.com/subscription/pkg/packagist-roave-security-advisories?utm_source=packagist-roave-security-advisories&utm_medium=referral&utm_campaign=enterprise&utm_term=repo). You can also contact us at for looking into security issues in your own project. Stability --------- [](#stability) This package can only be required in its `dev-latest` version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense. This package is therefore only suited for installation in the root of your deployable project. Sources ------- [](#sources) This package extracts information about existing security issues in various composer projects from the [FriendsOfPHP/security-advisories](https://github.com/FriendsOfPHP/security-advisories) repository and the [GitHub Advisory Database](https://github.com/advisories?query=ecosystem%3Acomposer). ### Health Score 53 — FairBetter than 97% of packages Maintenance65 Regular maintenance activity Popularity79 Solid adoption and visibility Community61 Healthy contributor diversity Maturity13 Early-stage or recently created project Bus Factor1 Top contributor holds 99.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/fd0445bc21fa116c259b5889377b90cbd8a34d49357321f76a74f6d2c2ae6b0c?d=identicon)[Ocramius](/maintainers/Ocramius) --- Top Contributors [![Ocramius](https://avatars.githubusercontent.com/u/154256?v=4)](https://github.com/Ocramius "Ocramius (2138 commits)")[![stof](https://avatars.githubusercontent.com/u/439401?v=4)](https://github.com/stof "stof (3 commits)")[![asgrim](https://avatars.githubusercontent.com/u/496145?v=4)](https://github.com/asgrim "asgrim (3 commits)")[![glensc](https://avatars.githubusercontent.com/u/199095?v=4)](https://github.com/glensc "glensc (2 commits)")[![GeeH](https://avatars.githubusercontent.com/u/613376?v=4)](https://github.com/GeeH "GeeH (2 commits)")[![malukenho](https://avatars.githubusercontent.com/u/3275172?v=4)](https://github.com/malukenho "malukenho (1 commits)")[![pborreli](https://avatars.githubusercontent.com/u/77759?v=4)](https://github.com/pborreli "pborreli (1 commits)")[![rob006](https://avatars.githubusercontent.com/u/5972388?v=4)](https://github.com/rob006 "rob006 (1 commits)")[![slash3b](https://avatars.githubusercontent.com/u/3269573?v=4)](https://github.com/slash3b "slash3b (1 commits)")[![zbrag](https://avatars.githubusercontent.com/u/1644844?v=4)](https://github.com/zbrag "zbrag (1 commits)")[![Zombaya](https://avatars.githubusercontent.com/u/13340313?v=4)](https://github.com/Zombaya "Zombaya (1 commits)")[![chapeupreto](https://avatars.githubusercontent.com/u/834048?v=4)](https://github.com/chapeupreto "chapeupreto (1 commits)")[![christiaan](https://avatars.githubusercontent.com/u/118490?v=4)](https://github.com/christiaan "christiaan (1 commits)")[![DylanThomasFr](https://avatars.githubusercontent.com/u/48915764?v=4)](https://github.com/DylanThomasFr "DylanThomasFr (1 commits)")[![GrahamCampbell](https://avatars.githubusercontent.com/u/2829600?v=4)](https://github.com/GrahamCampbell "GrahamCampbell (1 commits)") --- Tags composerinfosecphpsecurity-advisoriessecurity-vulnerabilitiessecurity-vulnerability ### Embed Badge ![Health badge](/badges/roave-security-advisories/health.svg) ``` [![Health](https://phpackages.com/badges/roave-security-advisories/health.svg)](https://phpackages.com/packages/roave-security-advisories) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)