Some of my apps use more than 30 composer packages.
Using all these packages got me thinking, what if some of them discover a critical issue that needs updating, I can’t just manually recheck them all every day.
Please note that I don’t want to update just for new features when in production, only want to do critical updates, so I can’t just check if there is a new version out.
I thought of using minor patch numbers for these, but I don’t think that’s enough since some packages do not provide security updates for old versions.
My question is:
Is there a simple way to keep an eye on all these packages to know if there is a critical security issue or bug that needs updating? (maybe there is a flag option I’m not aware of, to only update packages flagged as “ciritical-bug-fix”?)
Do you professional guys just require packages and forget they are there once you reach production?
P.S. I heard we shouldn’t really run
composer update in production, so in case of a critical update how should we proceed?
The easiest way is to use
roave/security-advisories package. This is a Composer package which contains only a set of
conflict rules with packages with known vulnerabilities. In practice you will not be able to install/update this package if you have security issues in your dependencies.
To install package:
composer require --dev roave/security-advisories:dev-master
After this you can test your dependencies using:
composer update --dry-run roave/security-advisories
If any of these commands result “Your requirements could not be resolved to an installable set of packages” error, you should take a look at conflicting packages, since they probably have some known security issues.