Marco Pivetta (Ocramius)

roave/security-advisories: Composer against Security Vulnerabilities

Since it's almost christmas, it's also time to release a new project!

The Roave Team is pleased to announce the release of roave/security-advisories, a package that keeps known security issues out of your project.

Before telling you more, go grab it:

mkdir roave-security-advisories-test
cd roave-security-advisories-test
curl -sS | php --

./composer.phar require roave/security-advisories:dev-master

Hold on: I will tell you what to do with it in a few.

What is it?

roave/security-advisories is a composer package that prevents installation of packages with known security issues.

Yet another one?

Last year, Fabien Potencier announced the project. This october, he announced again that the project was being moved to the open-source FriendsOfPHP organization.

While I like the idea of integrating security checks with my CI, I don't like the fact that it is possible to install and run harmful software before those checks.
I also don't want to install and run an additional CLI tool for something that composer can provide directly.

That's why I had the idea of just compiling a list of conflict versions from into a composer metapackage:


This has various advantages:

  • No files or actual dependencies are added to the project, since a "metapackage" does not provide a vendor directory by itself
  • Packages with security issues are filtered out during dependency resolution: they will not even be downloaded
  • No more CLI tool to run separately, no more CI setup steps
  • No need to upgrade the tool separately
  • No coupling or version constraints with any dependencies used by similar CLI-based alternatives

Try it out!

Now that you installed roave/security-advisories, you can try out how it works:

cd roave-security-advisories-test

./composer.phar require symfony/symfony:2.5.2 # this will fail
./composer.phar require zendframework/zendframework:2.3.1 # this will fail
./composer.phar require symfony/symfony:~2.6 # works!
./composer.phar require zendframework/zendframework:~2.3 # works!

Simple enough!

Please just note that this only works when adding new dependencies or when running composer update: security issues in your composer.lock cannot be checked with this technique.

Why is there no tagged version?

Because of how composer dependency resolution works, it is not possible to have more than one version of roave/security-advisories other than dev-master. More about this is on the project page


Tags: php, security, composer, packagist