Up-to-Date Dependencies Analyzer

Analyzer ID	Category	Severity	Time To Fix
`up-to-date-dependencies`	🛡️ Security	Medium	60 minutes

What This Checks

Runs composer install --dry-run (with and without --no-dev) to detect pending updates within your declared version constraints.
Warns when composer.lock is missing so you don’t lose reproducible builds.
Differentiates between production-only updates and dev-only updates for precise severity and recommendation messaging.
Surfaces actionable metadata (scope, command used) so you know exactly what to run next.

Security patches land in point releases: if you never run composer update, you miss CVE fixes even when they’re compatible with your constraints.
Reproducible builds: keeping lock files fresh prevents “works on my machine” bugs and deployment drift.
CI hygiene: dev dependencies (linters, test frameworks) still impact your ability to catch regressions early.
Compliance and audits: many review checklists require proving dependencies stay within a supported version window.

bash

composer update --no-dev

bash

composer update

Commit the updated composer.lock so teammates and CI run with the same versions.

Schedule regular updates: add a weekly/biweekly task (or CI pipeline) that runs composer update and opens a PR with the diff.
Review the changelog: before merging, skim release notes for breaking changes or manual migration steps.
Pin risky packages: if a dependency frequently ships breaking patches, constrain it more tightly (e.g., ^2.4.3).
Combine with security scanning: run composer audit or a SaaS scanner (like ShieldCI’s own vulnerable dependency analyzer) immediately after updating.
Automate notifications: if this analyzer reports failures, wire it into Slack/Email so the team can act quickly.