PHP Composer Package Health Checker | ReleaseRun

PHP Composer Package Health

Check any Composer package for latest version, known CVEs, and active maintenance before composer require.

Popular packages to check:

📦 More Dependency Health Tools

Browse all 19 free tools in the Dependency Health collection — npm, PyPI, Go, Rust, Maven, PHP Composer, NuGet, RubyGems health checkers and more.

PHP Composer Package Health Overview

Composer is PHP's dependency manager, handling package installation, version resolution, and autoloading for millions of PHP projects. Whether you're running Laravel, Symfony, WordPress with Composer, or a standalone PHP application, the packages declared in your composer.json form the dependency surface that attackers look for vulnerabilities in.

The PHP ecosystem has been the target of multiple high-profile supply chain attacks and CVEs, including vulnerabilities in popular packages like Guzzle, PHPMailer, and SwiftMailer. Keeping packages current is not optional — it's operational security hygiene.

How the Checker Works

The PHP Composer Package Health checker accepts your composer.json content (or just the require and require-dev blocks) and runs it against:

Packagist — to find the latest stable version of each package
SensioLabs Security Advisories Database — the canonical source for PHP package CVEs
PHP.watch and PHPStan advisories — for deprecation and compatibility warnings

Results are scored by severity: critical (active CVE in locked version), high (outdated major version), medium (minor version behind with known fixes), and low (minor patch behind).

Understanding Composer Version Constraints

Composer version ranges work differently than many developers expect:

^1.2 means >=1.2.0 <2.0.0 — allows minor and patch updates, blocks major
~1.2 means >=1.2.0 <1.3.0 — allows only patch updates
* or @dev — allows any version including dev releases, never use in production
=1.2.3 — exact version lock, prevents security patches from applying automatically

The health checker flags constraints that are too loose (wildcards, dev) or too tight (exact pins on packages with known CVEs).

Best Practices

Never use * or dev-master as version constraints in production
Run composer audit on every composer install in CI
Separate production and development dependencies using Composer groups
Keep composer.lock in version control — always
Review the CHANGELOG before running composer update on major framework packages
Use Roave/SecurityAdvisories as a dev dependency — it prevents installation of packages with known CVEs

Frequently Asked Questions

What is Roave/SecurityAdvisories?

A Composer package with no code — its only purpose is to declare conflicts against all known vulnerable PHP package versions. Adding it as a dev dependency means Composer will refuse to install or update to a package version with a known CVE.

How do I check PHP packages without running composer install?

Use this health checker — paste your composer.json or composer.lock and get results without needing a local PHP environment. Alternatively, use the local-php-security-checker CLI tool (by Fabien Potencier) which reads composer.lock directly.

See also: PHP Developer Tools — all related tools and version tracking on ReleaseRun.