StackShield
Back to Blog
Security 2 min read

Using Composer Audit to Manage Vulnerabilities in Your Laravel Application

Make sure you're not leaving your application vulnerable to attacks by regularly auditing your dependencies.

Michael Chen
Michael Chen
April 12, 2023
Using Composer Audit to Manage Vulnerabilities in Your Laravel Application

Laravel applications rely heavily on third-party packages. While these packages help speed up development, they can also introduce security vulnerabilities. A single outdated dependency can lead to critical security risks like SQL injections, remote code execution (RCE), or authentication bypass.

Understanding and managing these vulnerabilities is a challenge for many developers. In this post, we'll explore how to use Composer Audit to manage vulnerabilities in your Laravel application.

Understanding Composer Audit

Composer Audit is a tool that allows you to audit your dependencies for vulnerabilities. It is a part of Composer, the dependency manager for PHP. It will scan your composer.lock file and display a report of any vulnerabilities found.

To run a Composer Audit, you can use the following command:

composer audit

Found 2 vulnerabilities:

1. CVE-2024-5678 in symfony/http-foundation (version 5.4.0)
   - Severity: High
   - Description: Allows remote attackers to bypass request validation.
   - Fixed in: 5.4.5

2. CVE-2023-9101 in guzzlehttp/guzzle (version 6.5.0)
   - Severity: Medium
   - Description: SSRF vulnerability in HTTP request handling.
   - Fixed in: 6.5.3

Run `composer update symfony/http-foundation guzzlehttp/guzzle` to fix.

The output of the audit will show you any vulnerable packages and the severity of the vulnerability. You can then either update the package to a secure version one by one, or in bulk.

Single Package Update

To update a single package, you can use the following command:

composer update vendor/package

e.g. to update the laravel/framework package, you can use the following command:

composer update laravel/framework

Bulk Package Update

To update all packages at once, you can use the following command:

composer update

When to run a Composer Audit

You should run a composer audit regularly, ideally on a frequent schedule, and after changes have been made to your application. Github has a built in Security Tool called Dependabot that can be configured to run Composer Audits on a regular basis.

Alternatively you could include it in your CI/CD pipeline to block code merging and deployment until vulnerabilities have been fixed.

name: Security Check

on:
  push:
    branches:
      - main
      - develop
  pull_request:

jobs:
  security-check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install dependencies
        run: composer install --no-interaction --prefer-dist

      - name: Run Composer Audit
        run: composer audit