Auditing dependencies for known security vulnerabilities
Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring to notify customers through various channels, but not every project can benefit from these solutions.
We are happy to announce that Composer now offers warnings about insecure dependency versions out of the box as part of every
composer update (you can turn it off where it does not matter with
install you can get the same warnings, too, with the
--audit option. By default, audit on
installis off to improve performance, because most installs run automatically without anyone looking at their output, and you can get the information when manually editing the lock file with
Additionally, You can use the new
audit command to view a list of all security advisories affecting any of the installed dependencies. The command is particularly helpful when trying to inspect an old project's dependencies.
Support for bash completions
Bash completions allow you to use tab completion for composer commands in your terminal. This requires a couple of manual setup steps but is well worth doing.
Once set up, typing
composer upd[tab] for example will complete to
composer update. Pressing
[tab] again will then show you a list of package names that you have installed and could be updated. This also works for
require when looking for new package names, as well as many other commands, arguments and option names.
Bumping your version constraints more easily
bump command lets you increase your requirements to match the versions currently installed. For example, if you require package
"foo/bar": "^1" – but you currently have
1.5.3 installed – running
composer bump foo/bar will update your composer.json requirement to
Bumping requirements ensures dependencies do not later downgrade due to a conflict with a new dependency or an incompatibility among newer releases of existing dependencies. As a small bonus it can make dependency resolution faster as Composer can safely skip older releases without having to consider them for potential installation.
Please be cautious though, if you have open source libraries you should keep your requirements as broad as possible to avoid dependency hell for your users. For this reason we do not recommend using
bump on libraries without the
--dev-only flag, and any project where the composer.json type is not set to
project will warn you about this.
bump a single package or a set of packages with the same pattern as partial
update command calls, i.e.
composer bump foo/bar baz/* *lala* will bump packages
foo/bar as well as all packages matching the
Find out about other minor features and bugfixes in the complete changelog.