Security Tip: composer audit
[Tip#28] Composer 🥰
As PHP developers, we’re lucky enough to have Composer as our package manager. It is, in my opinion, the best package manager available and doesn’t suffer from the multitude of problems and annoyances that others like NPM do.
An awesome feature that was added Composer v2.4 is the audit command:
composer auditSimilar to npm audit, the composer audit command will check your currently installed package versions for any known security vulnerabilities and list any that are found.
Composer will also automatically run an audit during an update via composer update, and you can optionally include it during installs with the --audit flag.
Security advisories are loaded from Packagist, which sources them from GitHub and FriendsOfPHP/security-advisories, with scope for more sources as required.
I think this is an awesome addition to Composer, and something it had been lacking prior to v2.4, so it’s great to see it included. There are other third-party packages that serve similar roles, but having it included in Composer makes it a lot more accessible.
I highly recommend adding composer audit call into your testing and deployment pipeline, so you’ll be alerted for new vulnerabilities as they are reported.
You can find the official documentation of the command here:
https://getcomposer.org/doc/03-cli.md#audit
But, it’s not here yet…
The new audit command is coming in v2.4, but it hasn’t been released yet. There is a release candidate available though, so you can use if you want to try out the command.
Find it here: https://github.com/composer/composer/releases/tag/2.4.0-RC1
Or install it with:
composer self-update --previewAnd switch back to the latest stable v2.3:
composer self-update --stable(I wrote this article before it was officially released.)
If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.
When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!
You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.
