skip to content
KA
recent (5)
Composer Fix Composer Soak Time Statamic Context CLI Livewire Chat Den Verstand Erobern - Naval Ravikant & Kapil Gupta
No results found

05 entries

Composer Fix

Overview

Currently, running composer update isn’t fun. Every package could be compromised. Of course, a minimum release age helps. You can use my composer soak time plugin for that. Still, I feel like that isn’t enough. I want to only upgrade what needs to be upgraded.

The npm cli has npm audit and npm audit fix. Composer only had composer audit. Now, there’s composer fix which does exactly like npm audit fix would, even the —force flag. On top of that, we respect everything we set in composer soak time!

Easy safe upgrades for only the dependencies that actually need them.

How it works

  • Run installed packages against Composer's advisory API.

  • Build the list of packages with CVEs.

  • With --force: resolve the lowest safe version per affected root requirement, rewrite its constraint.

  • Run a targeted composer update on the affected packages.

  • Re-audit and report anything still vulnerable.

Installation

Easy enough, install as a global plugin and have it available everywhere:

composer global require innobrain/composer-fix