Home » Php » php – Composer is really cool, but how do we know if there is a critical bug in one of the required packages?

php – Composer is really cool, but how do we know if there is a critical bug in one of the required packages?

Posted by: admin February 25, 2020 Leave a comment

Questions:

Some of my apps use more than 30 composer packages.

Using all these packages got me thinking, what if some of them discover a critical issue that needs updating, I can’t just manually recheck them all every day.

Please note that I don’t want to update just for new features when in production, only want to do critical updates, so I can’t just check if there is a new version out.

I thought of using minor patch numbers for these, but I don’t think that’s enough since some packages do not provide security updates for old versions.

My question is:

Is there a simple way to keep an eye on all these packages to know if there is a critical security issue or bug that needs updating? (maybe there is a flag option I’m not aware of, to only update packages flagged as “ciritical-bug-fix”?)

Do you professional guys just require packages and forget they are there once you reach production?

P.S. I heard we shouldn’t really run composer update in production, so in case of a critical update how should we proceed?

How to&Answers:

The easiest way is to use roave/security-advisories package. This is a Composer package which contains only a set of conflict rules with packages with known vulnerabilities. In practice you will not be able to install/update this package if you have security issues in your dependencies.

To install package:

composer require --dev roave/security-advisories:dev-master

After this you can test your dependencies using:

composer update --dry-run roave/security-advisories

If any of these commands result “Your requirements could not be resolved to an installable set of packages” error, you should take a look at conflicting packages, since they probably have some known security issues.