Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Security Advisories
Assessments

Security Advisories Laravel Package

roave/security-advisories

Composer dev-only package that blocks installing dependencies with known security vulnerabilities by adding conflict rules. No runtime code or API—just prevents insecure versions during composer require/update to keep your PHP/Laravel supply chain safer.

View on GitHub
Deep Wiki
Context7

Getting Started

Install the package as a dev dependency in your Laravel project:

composer require --dev roave/security-advisories

That’s it—no configuration needed. From now on, Composer will reject installation or updates of dependencies with known CVEs during composer require, composer update, or composer install. For example:

# This will now fail with a clear error
composer require laravel/framework:6.0.0

Verify it works by running:

composer update --dry-run roave/security-advisories

This triggers advisory checks without modifying your lock file.

Implementation Patterns

  • CI Enforcement: Include it in your composer.json’s require-dev and run composer install in CI without --no-dev. Failures block merging.
  • Pre-commit Hook: Add a script (e.g., via husky/pre-commit) to run composer update --dry-run and catch vulnerabilities before commits.
  • Dependency Alert Workflow: When Composer blocks a version, use the emitted CVE IDs (e.g., CVE-2022-1234) to cross-reference with GitHub Advisories or SCA tools like Dependabot.
  • Upgrade Coordination: Pair with Laravel’s official EOL schedule—use advisory failures as early warnings when upgrading to newer minor versions.
  • Team Onboarding: Document its role in your CONTRIBUTING.md: “We use automated security guards—don’t override without justification.”

Gotchas and Tips

  • Never install --no-dev for updates: Skipping dev dependencies bypasses the advisory checks entirely.
  • False positives are rare but possible: Advisory data may lag or misattribute versions (e.g., vague upper bounds). Before ignoring, verify via GitHub Advisory DB.
  • Update cadence matters: Advisory data updates weekly; run composer update roave/security-advisories monthly or tie it to your SCA review cycle.
  • No runtime overhead: It’s a meta-package with no autoloaded code—zero impact on Laravel’s runtime or performance.
  • Don’t silence prematurely: The config.allow-plugins.roave/security-advisories setting should only be used for documented, verified false positives (e.g., "roave/security-advisories": { "allow": ["*"] } in CI only).
  • Laravel-specific nuance: Some community packages (e.g., older Spatie packages) have known vulnerabilities—this package will block them, encouraging upgrades. Use composer require ... --no-plugins only for temporary debugging—not as a fix.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport