Checking for Vulnerabilities with Composer

Composer is a brilliant tool and coupled with the thousands and thousands of packages you can install with it, it reduces how much work we have to do to develop software, considerably.

Naturally, with that, comes risks. From time to time, vulnerabilities are found in packages and consequently, this can leave your applications in danger too. All is not lost, however, for fortunately we have wonderful services such as the SensioLabs Security Checker which collate found security problems and make those lists available for others. I’m going to show you how to install a vulnerability checker in your PHP application and have it run each time you install or update packages using composer.

Let’s start by creating an empty folder and installing something I know has vulnerabilities: PHP Mailer version 5.2.0. You can see where they fixed it here and also some details about the problem there.

Now, that version is way behind what is available, so don’t be using it in your projects, OK?!

Next, let’s download the PHAR file and place that in the root of the folder. You can grab it from this location.

Let’s now manually check our packages:

[CRITICAL] 1 package has known vulnerabilities

phpmailer/phpmailer (v5.2.20)

* CVE-2017-5223: Local File Disclosure

* CVE-2017-11503: XSS vulnerability in code example

Eek! Pretty scary.

I don’t really want to keep doing that each time I add packages though so let’s make a change to our composer.json file and get that check happening automatically.

Edit composer.json and add the following:

Now run composer update and see the magic:

Checking security of packages

If you want to find out more about which events you can tag commands onto, you can look here.

Keep safe, folks.


Written by Stephen Moon
email: stephen at

Hey! Did you enjoy reading this? If you did and would like an email when I add new content, just subscribe to my list. You can unsubscribe at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *