{"id":45899285,"url":"https://github.com/cs278/composer-audit","last_synced_at":"2026-02-27T22:12:40.575Z","repository":{"id":46226657,"uuid":"226202047","full_name":"cs278/composer-audit","owner":"cs278","description":"Audit Composer dependencies for security vulnerabilities without using an external service.","archived":false,"fork":false,"pushed_at":"2025-11-13T13:57:32.000Z","size":81,"stargazers_count":7,"open_issues_count":4,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-13T14:31:54.714Z","etag":null,"topics":["composer-plugin","php"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cs278.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-12-05T22:45:54.000Z","updated_at":"2025-02-20T09:42:01.000Z","dependencies_parsed_at":"2023-02-18T09:30:57.544Z","dependency_job_id":null,"html_url":"https://github.com/cs278/composer-audit","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/cs278/composer-audit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cs278%2Fcomposer-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cs278%2Fcomposer-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cs278%2Fcomposer-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cs278%2Fcomposer-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cs278","download_url":"https://codeload.github.com/cs278/composer-audit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cs278%2Fcomposer-audit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29917234,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"ssl_error","status_checked_at":"2026-02-27T19:37:41.463Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["composer-plugin","php"],"created_at":"2026-02-27T22:12:40.043Z","updated_at":"2026-02-27T22:12:40.568Z","avatar_url":"https://github.com/cs278.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"Composer Audit\n==============\n\nAudit your Composer dependencies for security vulnerabilities, uses\ndata from [FriendsOfPHP/security-advisories][]. Compatible with Composer 1 and 2.\n\nThis Composer plugin allows you to audit your dependencies for security\nvulnerabilities *without* sending your lock file to an\n[external service][security.symfony.com] or using\n[closed source software](https://github.com/symfony/cli/issues/37).\n\nNote this command is *distinct* from the `audit` command built into Composer ≥ 2.4.\n\nInstallation\n------------\n\nThis plugin can either be installed as a dependency in your project or “globally”\nso that it is always available on your machine.\n\n### Install as a development dependency\n\n```sh\ncomposer require --dev cs278/composer-audit ^1\n```\n\n### Install globally\n\n```sh\ncomposer global require cs278/composer-audit ^1\n```\n\nUsage\n-----\n\n### Audit dependencies\n\nThis will audit all locked dependencies from `composer.lock`.\n\nIf your package does not have a `composer.lock` file (e.g. because it’s a\nlibrary) the installed packages, located in `vendor/composer/installed.json`\nwill be validated instead.\n\n```sh\ncomposer security-audit\n```\n\n### Audit non development dependencies\n\nOnly audit your production dependencies from `composer.lock`, this option only\nworks when there is a `composer.lock` file.\n\n```sh\ncomposer security-audit --no-dev\n```\n\n### Update security advisories database\n\nYou can force an update of the security advisories database using the `--update`\noption, without this option being supplied the database will be downloaded if it\ndoes not exist or it’s more than an hour old. For example:\n\n```sh\ncomposer security-audit --update\n```\n\nConfiguration\n-------------\n\nComposer Audit can be configured using the [`extra`][composer.json extra] property\nin your `composer.json` file, all configuration should be supplied under the\n`composer-audit` key.\n\n```json\n{\n    ...\n    \"extra\": {\n        ...\n        \"composer-audit\": {\n            \"option1\": \"super\"\n        },\n        ...\n    },\n    ...\n}\n```\n\n### Ignoring an advisory\n\nCurrently only filtering advisories by CVE is possible, further options are planned.\n\n#### Ignoring an advisory by CVE\n\nYou are able to ignore warnings about an advisory by filtering based on its CVE\nreference, this is useful if you decide the risk is acceptable or not applicable\nand you cannot otherwise upgrade the package to resolve the problem.\n\n```json\n{\n    ...\n    \"extra\": {\n        ...\n        \"composer-audit\": {\n            \"ignore\": [\n                {\"type\": \"cve\", \"value\": \"CVE-2000-1234567\"},\n                {\"type\": \"cve\", \"value\": \"CVE-2000-7654321\"}\n            ]\n        },\n        ...\n    },\n    ...\n}\n```\n\nExample\n-------\n\n```sh\n# Require a vulnerable package\ncomposer require symfony/http-foundation 2.0.4\n\n# Require Composer Audit\ncomposer require --dev cs278/composer-audit ^1\n\ncomposer security-audit\nFound 9 advisories affecting 1 package(s).\n\ncomposer://symfony/http-foundation (2.0.4)\n* Request::getClientIp() when the trust proxy mode is enabled\n* CVE-2012-6431: Routes behind a firewall are accessible even when not logged in\n* CVE-2013-4752: Request::getHost() poisoning\n* CVE-2014-5244: Denial of service with a malicious HTTP Host header\n* CVE-2014-6061: Security issue when parsing the Authorization header\n* CVE-2015-2309: Unsafe methods in the Request class\n* CVE-2018-11386: Denial of service when using PDOSessionHandler\n* CVE-2018-14773: Remove support for legacy and risky HTTP headers\n* CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser\n```\n\nHyperlinks will be rendered to the appropriate CVE and advisory where available.\n\n[composer.json extra]: https://getcomposer.org/doc/04-schema.md#extra\n[FriendsOfPHP/security-advisories]: https://github.com/FriendsOfPHP/security-advisories\n[security.symfony.com]: https://security.symfony.com/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcs278%2Fcomposer-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcs278%2Fcomposer-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcs278%2Fcomposer-audit/lists"}