Composer 2.4 Release
Auditing dependencies for known security vulnerabilitiesStaying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security...
blog.packagist.com
Auditing dependencies for known security vulnerabilities
Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring to notify customers through various channels, but not every project can benefit from these solutions.We are happy to announce that Composer now offers warnings about insecure dependency versions out of the box as part of every composer update (you can turn it off where it does not matter with --no-audit). On install you can get the same warnings, too, with the --auditoption. By default, audit on installis off to improve performance, because most installs run automatically without anyone looking at their output, and you can get the information when manually editing the lock file with update.
Additionally, You can use the new auditcommand to view a list of all security advisories affecting any of the installed dependencies. The command is particularly helpful when trying to inspect an old project's dependencies.
See #10798 and #10898