Skip to content

PHP's dependency ecosystem is managed through Composer and the composer.json/composer.lock files. Packagist hosts 300,000+ PHP packages. ReleaseRun provides free tools for auditing PHP Composer dependencies, checking CVEs in packages, and tracking PHP and Laravel/Symfony release status.

PHP Dependency Health Checkers

composer.json Health Checker

The composer.json Health Checker scans your composer.json for packages with known security advisories (from the SensioLabs Security Advisories database), outdated major versions, and abandoned packages. Paste your composer.json for an instant report.

Composer Package Health Checker

The Composer Package Health Checker checks an individual Packagist package's version history, active maintenance status, and known CVEs. Useful when evaluating a new package before adding it as a dependency.

PHP Release History and EOL

PHP releases one new minor version per year (November). Each version receives 3 years of support: 2 years of active support (bug fixes + security) and 1 year of security-only patches. The PHP Release History page covers the full version timeline and support windows.

PHP 8.0 reached EOL in November 2023. PHP 7.4 has been EOL since November 2022. Running PHP 7.4 or 8.0 means operating an unsupported runtime — no security patches for any CVEs discovered after the EOL date.

PHP Framework Support

PHP version requirements vary by framework:

PHP Security Tools

  • composer audit — built into Composer 2.4+, scans installed packages against the GitHub Advisory Database
  • Psalm — PHP static analysis tool with security rule sets
  • PHPStan — static analysis, widely used for type safety in PHP 8.x codebases

All PHP Tools on ReleaseRun