Skip to content

Releases: innobraingmbh/composer-fix

Release list

v1.0.0

Choose a tag to compare

@kauffinger kauffinger released this 07 Jul 18:53
Immutable release. Only release title and notes can be modified.
98cef8d

The first stable release of composer-fix — a Composer plugin that fixes known vulnerabilities like npm audit fix. It audits installed packages and updates the ones with published security advisories to a version that is no longer affected.

composer global require innobrain/composer-fix
composer fix

Features

  • composer fix — audits installed packages against your repositories' advisories (Packagist by default) and runs a targeted composer update on the affected ones, staying within your existing composer.json constraints.
  • --force — rewrites affected root constraints to the lowest safe version before updating, the smallest bump that removes the vulnerability (like npm audit fix --force). The bump is patch-level (e.g. ^5.4.20) so it also excludes the vulnerable lower versions.
  • --dry-run — previews the plan without touching composer.json, the lock file, or vendor/.
  • -w / -W — also update the dependencies of affected packages (--with-dependencies / --with-all-dependencies).
  • --no-dev — filters require-dev packages out of the audit without changing your installed dev/no-dev vendor state.
  • --ignore-unreachable — tolerates repositories that are unreachable or return a non-200.

Highlights

  • Pool-filter aware. Both the update and --force selection go through Composer's normal pool creation, so a plugin that prunes the pool — such as soak-time — also prunes what composer fix considers. If the only safe version is held back, --force reports it and leaves composer.json unchanged instead of bumping to a version that won't resolve.
  • CI-friendly exit codes. Exits 0 when every advisory is resolved and 1 when packages remain vulnerable after the update, so pipelines fail on unfixed advisories.
  • Safe by default. A package whose safe version is out of range is reported as still vulnerable rather than silently changed; a failed --force update restores composer.json and the lock file.

Requirements

  • PHP 8.1+
  • Composer 2.9+

Full Changelog: https://github.com/innobraingmbh/composer-fix/commits/v1.0.0

v0.1.0

Choose a tag to compare

@kauffinger kauffinger released this 18 Jun 08:38
Immutable release. Only release title and notes can be modified.
f66923d