Stats
Actions
Tags
From acc
Analyzes PHP Composer dependencies for security vulnerabilities: detects CVEs, outdated packages, EOL versions, abandoned packages, risky constraints, and transitive risks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/acc:check-dependency-vulnerabilitiesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze PHP project dependencies for security vulnerabilities.
Analyze PHP project dependencies for security vulnerabilities.
# Read composer.lock to get exact versions
cat composer.lock | jq '.packages[] | {name, version}'
# Check for outdated packages
composer outdated --direct
# Security audit
composer audit
| Package | Vulnerable Versions | Issue | CVE |
|---|---|---|---|
| symfony/http-kernel | < 4.4.50 | Request smuggling | CVE-2022-24894 |
| guzzlehttp/guzzle | < 7.4.5 | Header injection | CVE-2022-31090 |
| doctrine/dbal | < 2.13.9 | SQL injection | CVE-2021-43608 |
| laravel/framework | < 8.83.27 | SQL injection | CVE-2022-44268 |
| phpseclib | < 3.0.14 | RCE | CVE-2023-27560 |
| twig/twig | < 2.15.3 | SSTI | CVE-2022-39261 |
| phpmailer/phpmailer | < 6.5.0 | XSS | CVE-2021-34551 |
| monolog/monolog | < 2.7.0 | RCE via SMTP | CVE-2022-29244 |
// CRITICAL: EOL PHP versions
// PHP 7.4 - EOL November 2022
// PHP 8.0 - EOL November 2023
// Check supported versions:
// PHP 8.1 - Security fixes until December 2025
// PHP 8.2 - Security fixes until December 2026
// PHP 8.3 - Security fixes until December 2027
// composer.json - Risky version constraints
{
"require": {
"vendor/package": "*", // CRITICAL: Any version
"vendor/package": ">=1.0", // VULNERABLE: Too permissive
"vendor/package": "^1.0", // OK: Semver constraint
"vendor/package": "1.2.3", // Best: Exact version
"vendor/package": "dev-main" // CRITICAL: Unstable
}
}
# Check for abandoned packages
composer show --abandoned
# Common abandoned packages to replace:
# phpunit/dbunit → Use fixtures
# zendframework/* → laminas/*
# swiftmailer/swiftmailer → symfony/mailer
# paragonie/random_compat → Use random_bytes() (PHP 7+)
# Check dependency tree
composer depends vendor/package
# Find why a vulnerable package is included
composer why vendor/vulnerable-package
# composer.json with wildcard versions
Grep: '"\\*"|"dev-|">=|">' --glob "**/composer.json"
# Known vulnerable package names
Grep: "guzzlehttp/guzzle|symfony/http-kernel|doctrine/dbal" --glob "**/composer.lock"
# EOL PHP version
Grep: '"php":\s*"[^"]*7\.[0-4]|"php":\s*"[^"]*8\.0' --glob "**/composer.json"
| Pattern | Severity |
|---|---|
| Known CVE with exploit | 🔴 Critical |
| EOL PHP version | 🔴 Critical |
| Abandoned package with issues | 🟠 Major |
| Outdated with security fixes | 🟠 Major |
| Wildcard version constraint | 🟡 Minor |
# Check what will be upgraded
composer update --dry-run
# Update specific package
composer update vendor/package --with-dependencies
# Update all packages
composer update
# After update, run tests
./vendor/bin/phpunit
{
"require": {
// Good: Specific minor version
"vendor/package": "^2.5",
// Best: Lock to patch version in production
"vendor/package": "2.5.3"
}
}
# Always commit composer.lock
git add composer.lock
# Use consistent platform
composer config platform.php 8.2
# Audit before deploy
composer audit --locked
### Vulnerable Dependency: [package-name]
**Severity:** 🔴/🟠/🟡
**Current Version:** 1.2.3
**Fixed Version:** 1.2.4
**CVE:** CVE-2024-XXXX
**Issue:**
[Description of the vulnerability]
**Risk:**
[What an attacker can do]
**Location:**
- `composer.lock:line` (direct dependency)
- Required by: `other/package`
**Fix:**
```bash
composer update vendor/package
Workaround (if upgrade not possible): [Temporary mitigation]
## Automated Scanning
### GitHub Dependabot
```yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
# In CI pipeline
- name: Security Audit
run: composer audit --format=json > audit.json
- name: Check for vulnerabilities
run: |
if [ -s audit.json ]; then
cat audit.json
exit 1
fi
composer audit in CI/CDnpx claudepluginhub dykyi-roman/awesome-claude-code --plugin accSafe, systematic Composer dependency updates with patch/minor/major strategies, security audits, lock file hygiene, and changelog-first workflow.
Audits dependencies for vulnerabilities, outdated versions, transitive issues, and licenses in Node.js, Python, PHP, Ruby, Go, and Rust projects using npm audit, pip-audit, and equivalents.
Audits project dependencies from package.json, requirements.txt, go.mod, Gemfile for CVEs, outdated packages, transitive issues, licenses, and supply chain risks. Provides severity assessments, remediation suggestions, and prioritized reports.