Security Tip: composer audit

[Tip#28] Composer 🥰

Security Tip: composer audit

As PHP developers, we’re lucky enough to have Composer as our package manager. It is, in my opinion, the best package manager available and doesn’t suffer from the multitude of problems and annoyances that others like NPM do.

An awesome feature that was added Composer v2.4 is the audit command:

composer audit

Similar to `npm audit`1, the `composer audit` command will check your currently installed package versions for any known security vulnerabilities and list any that are found.

Composer will also automatically run an audit during an update via `composer update`, and you can optionally include it during installs with the  `--audit` flag.

Security advisories are loaded from Packagist, which sources them from GitHub and FriendsOfPHP/security-advisories, with scope for more sources as required.

I think this is an awesome addition to Composer, and something it had been lacking prior to v2.4, so it’s great to see it included. There are other third-party packages that serve similar roles2, but having it included in Composer makes it a lot more accessible.

I highly recommend adding `composer audit` call into your testing and deployment pipeline, so you’ll be alerted for new vulnerabilities as they are reported.

You can find the official documentation of the command here:
https://getcomposer.org/doc/03-cli.md#audit

But, it’s not here yet…

The new audit command is coming in v2.4, but it hasn’t been released yet. There is a release candidate available though, so you can use if you want to try out the command.

Find it here: https://github.com/composer/composer/releases/tag/2.4.0-RC1

Or install it with:

composer self-update --preview

And switch back to the latest stable v2.3:

composer self-update --stable

(I wrote this article before it was officially released.)


  1. Which has been around for many years.

  2. The two most popular ones I am aware of are: