Security Tip: Do I Have a Vulnerable Package Installed?
[Tip #117] It's easy to say "Update <package> if it's installed!", but how do you actually know if a package is installed, since it may not appear in composer.json?! Also, how did it even get there??!! 🤨
By now, most of you will have seen the Security Notice I sent out last Friday about the Livewire v3 Remote Code Execution Vulnerability. There is something significant that I overlooked when writing that notice: livewire/livewire may not appear in your composer.json and instead be a dependency of one of your dependencies! Laravel Pulse and Filament come to mind as popular packages that use Livewire.
If this is the case, you may have checked your composer.json, not seen livewire/livewire and not updated. If this is the case, then I apologise profusely!
So to ease my guilt and ensure you've applied any security updates that need applying, we're going to review different methods you can use to use to identify which packages you have installed and why!
composer audit
$ composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+---------------------------------------
| Package | livewire/livewire
| Severity | critical
| CVE | CVE-2025-54068
| Title | Livewire is vulnerable to remote command execution during component property
| | update hydration
| URL | https://github.com/advisories/GHSA-29cq-5w36-x7w3
| Affected versions | >=3.0.0-beta.1,<3.6.4
| Reported at | 2025-07-17T20:26:45+00:00
+-------------------+---------------------------------------composer audit
This is the best place to start, and I could probably just end this tip here (but I won't). Composer will check for known vulnerabilities in all of your installed packages, and tell you all the details.
Seriously, run this first. Daily. Hourly. Every time you touch your computer... ok, maybe that's a bit excessive. Maybe stick with daily via CI? (Check the command's different output options to make a CI friendly version.)
composer why <package>
$ composer why livewire/livewire
laravel/pulse v1.4.3 requires livewire/livewire (^3.6.4)composer why livewire/livewire
This beautifully named command, composer why, will tell you why a package was installed. As we can see above, livewire/livewire is there because laravel/pulse needs it.
Note that nested packages won't provide their full tree by default - so you may not see the root package from composer.json listed. In this case, add on the --tree or --recursive option:
$ composer why pestphp/pest-plugin-arch --tree
pestphp/pest-plugin-arch v3.1.1 The Arch plugin for Pest PHP.
└──pestphp/pest v3.8.2 (requires pestphp/pest-plugin-arch ^3.1.0)
├──laravel/laravel (requires (for development) pestphp/pest ^3.8)
├──pestphp/pest-plugin v3.0.0 (conflicts pestphp/pest <3.0.0) (circular dependency aborted here)
└──pestphp/pest-plugin-laravel v3.2.0 (requires pestphp/pest ^3.8.2)
└──laravel/laravel (requires (for development) pestphp/pest-plugin-laravel ^3.2)$ composer why pestphp/pest-plugin-arch --tree
Armed with this, you should know exactly why a specific package was installed.
composer show
$ composer show
brianium/paratest 7.8.3 Parallel testing for PHP
brick/math 0.13.1 Arbitrary-precision arithmetic library
carbonphp/carbon-doctrine-types 3.2.0 Types to use Carbon in Doctrine
dflydev/dot-access-data 3.0.3 Given a deep data structure, access data by dot notation.
...
laravel/framework 12.20.0 The Laravel Framework.
laravel/pail 1.2.3 Easily delve into your Laravel application's log files directly from the command line.
laravel/pint 1.24.0 An opinionated code formatter for PHP.
laravel/prompts 0.3.6 Add beautiful and user-friendly forms to your command-line applications.
laravel/pulse 1.4.3 Laravel Pulse is a real-time application performance monitoring tool and dashboard for yo...
laravel/sail 1.43.1 Docker files for running a basic Laravel application.
...
league/uri-interfaces 7.5.0 Common interfaces and classes for URI representation and interaction
livewire/livewire 3.6.3 A front-end framework for Laravel.
mockery/mockery 1.6.12 Mockery is a simple yet flexible PHP mock object framework
...composer show (truncated, as it was 128 lines in this app...)
This will list all installed packages, the current version, and the description. It can be incredibly noisy however, so you can reduce the output down a bit:
composer show <wildcard search>
$ composer show laravel/*
laravel/framework 12.20.0 The Laravel Framework.
laravel/pail 1.2.3 Easily delve into your Laravel application's log files directly from the command line.
laravel/pint 1.24.0 An opinionated code formatter for PHP.
laravel/prompts 0.3.6 Add beautiful and user-friendly forms to your command-line applications.
laravel/pulse 1.4.3 Laravel Pulse is a real-time application performance monitoring tool and dashboard for your Lara...
laravel/sail 1.43.1 Docker files for running a basic Laravel application.
laravel/serializable-closure 2.0.4 Laravel Serializable Closure provides an easy and secure way to serialize closures in PHP.
laravel/tinker 2.10.1 Powerful REPL for the Laravel framework.composer show laravel/* (not truncated)
Using a wildcard search like laravel/* or *wire will return a list of the patching packages. Very helpful when you're checking packages by a specific vendor.
composer show <package>
$ composer show livewire/livewire
name : livewire/livewire
descrip. : A front-end framework for Laravel.
keywords :
versions : * v3.6.4
released : 2025-07-17, this week
type : library
license : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage :
source : [git] https://github.com/livewire/livewire.git ef04be759da41b14d2d129e670533180a44987dc
dist : [zip] https://api.github.com/repos/livewire/livewire/zipball/ef04be759da41b14d2d129e670533180a44987dc ef04be759da41b14d2d129e670533180a44987dc
path : /home/valorin/dev/securinglaravel/vendor/livewire/livewire
names : livewire/livewire
support
issues : https://github.com/livewire/livewire/issues
source : https://github.com/livewire/livewire/tree/v3.6.4
autoload
files
psr-4
Livewire\ => src/
requires
illuminate/database ^10.0|^11.0|^12.0
illuminate/routing ^10.0|^11.0|^12.0
illuminate/support ^10.0|^11.0|^12.0
illuminate/validation ^10.0|^11.0|^12.0
laravel/prompts ^0.1.24|^0.2|^0.3
league/mime-type-detection ^1.9
php ^8.1
symfony/console ^6.0|^7.0
symfony/http-kernel ^6.2|^7.0
requires (dev)
calebporzio/sushi ^2.1
laravel/framework ^10.15.0|^11.0|^12.0
mockery/mockery ^1.3.1
orchestra/testbench ^8.21.0|^9.0|^10.0
orchestra/testbench-dusk ^8.24|^9.1|^10.0
phpunit/phpunit ^10.4|^11.5
psy/psysh ^0.11.22|^0.12composer show livewire/livewire
Passing the specific package will return all the details about the package, which is useful to check on it's dependencies, autoloads, etc.
Summary
These are just a couple of methods for checking if a package is installed, how it got there, and what version you've got. I'm sure there are more, but this should give you a very good starting point!
Want to see your brand here?
If you found this security tip useful, subscribe to get weekly Security Tips straight to your inbox. Upgrade to a premium subscription for exclusive monthly In Depth articles, or drop a coin in the tip jar to show your support.
When was the last time you had a penetration test? Book a Laravel Security Audit and Penetration Test, or a budget-friendly Security Review!
You can also connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.
