Vulnerable Dependencies Analyzer

Analyzer ID	Category	Severity	Time To Fix
`vulnerable-dependencies`	🛡️ Security	Critical	60 minutes

What This Checks

Reads composer.lock and your dev dependencies to detect abandoned packages and missing lock files.
Queries OSV (Open Source Vulnerability) for each Composer package/version via batch API.
Flags every package with recorded CVEs/advisories and annotates severity, CVE, and upgrade guidance.
Highlights abandoned packages (including those under packages-dev) and suggests replacements.

Actively exploited CVEs: Packagist libraries receive coordinated disclosures—ignoring them leads to remote code execution, SQL injection, or privilege escalation.
Transitive exposure: You may not be aware of a vulnerable subdependency; OSV catches both direct and transitive hits because it analyzes the lock file.
Abandoned libraries: Packages without maintainers never receive patches, forcing you to fork or replace them before a vulnerability is published.
Compliance: Security questionnaires often require proof that you monitor upstream CVEs; this analyzer produces that evidence.

bash

composer audit

bash

composer update vendor/package

If the package is abandoned, follow the recommendation to replace it and commit the updated composer.lock.

Review each advisory: read the linked CVE/advisory summary to confirm impact and any manual remediation steps.
Pin patched versions: adjust composer.json constraints so patched releases remain within your allowed range (e.g., ^3.2.1).
Add regression tests: if the upgrade touches sensitive areas, write smoke tests before deploying.
Remove or fork abandoned packages: if no drop-in replacement exists, fork the package, apply patches, and reference your fork explicitly.
Automate: add composer audit (or this analyzer) to CI so regressions get caught before merges.