Composer Fix
Overview
Currently, running composer update isn’t fun. Every package could be compromised. Of course, a minimum release age helps. You can use my composer soak time plugin for that. Still, I feel like that isn’t enough. I want to only upgrade what needs to be upgraded.
The npm cli has npm audit and npm audit fix. Composer only had composer audit. Now, there’s composer fix which does exactly like npm audit fix would, even the —force flag. On top of that, we respect everything we set in composer soak time!
Easy safe upgrades for only the dependencies that actually need them.
How it works
Run installed packages against Composer's advisory API.
Build the list of packages with CVEs.
With --force: resolve the lowest safe version per affected root requirement, rewrite its constraint.
Run a targeted composer update on the affected packages.
Re-audit and report anything still vulnerable.
Installation
Easy enough, install as a global plugin and have it available everywhere:
composer global require innobrain/composer-fix