Laravel Radar is a lightweight dependency health dashboard and notifier for Laravel applications.
Radar scans Composer and NPM dependencies, stores a snapshot, and highlights:
- vulnerable packages
- outdated direct dependencies
- abandoned Composer packages
- practical, conservative next steps
Radar is intentionally read-only. It reports dependency health and suggests commands, but it does not update dependencies, edit lock files, commit changes, or deploy code for you.
- PHP 8.3+
- Laravel 12 or 13
- Composer
- Node/NPM available when scanning JavaScript dependencies
Install Radar with Composer:
composer require joshdonnell/radarPublish Radar's config file, migration, and dashboard assets:
php artisan radar:installRun the migration:
php artisan migrateRun a dependency scan:
php artisan radar:scanOpen the dashboard at:
/radarThe dashboard path can be changed with:
RADAR_PATH=internal/radarRadar's dashboard is enabled outside production by default and disabled in production by default. Production applications can still run scans and send notifications. Only enable the dashboard in production when it is protected by trusted authentication and authorization.
RADAR_DASHBOARD_ENABLED=trueRadar currently ships these Artisan commands:
php artisan radar:scan
php artisan radar:notify
php artisan radar:clearScans application dependencies and stores a Radar snapshot.
php artisan radar:scanScan a different project path:
php artisan radar:scan --path=/path/to/appSends deduplicated vulnerability notifications for the latest stored scan.
php artisan radar:notifyRun a fresh scan before notifying:
php artisan radar:notify --scanNotifications are only sent when vulnerabilities exist and at least one notification route is configured.
Clears stored Radar scan history.
php artisan radar:clearSkip the confirmation prompt:
php artisan radar:clear --forceThe dashboard shows the latest stored scan, including:
- health score
- latest scan time
- Composer and NPM package inventory
- vulnerability findings
- outdated direct dependency findings
- abandoned Composer package findings
- suggested safe commands or review steps where Radar can infer them
Radar uses Laravel Notifications. Your application still owns the normal mail and Slack transport configuration; Radar only stores the on-demand notification routes it should target.
Configure mail recipients:
RADAR_NOTIFICATION_MAIL_TO=security@example.com,dev@example.comConfigure Slack:
RADAR_NOTIFICATION_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...Send notifications manually:
php artisan radar:notifyOr scan first, then notify:
php artisan radar:notify --scanRepeated notifications for the same vulnerability finding set are deduplicated for the configured TTL:
RADAR_NOTIFICATION_DEDUPE_TTL=86400Radar preconfigures a nightly scheduled radar:notify --scan run at 02:00, so each notification run starts with a fresh scan.
Your application still needs Laravel's scheduler running in production, usually via a cron entry that runs php artisan schedule:run every minute.
Customize or disable Radar's built-in schedule:
RADAR_NOTIFICATION_SCHEDULE_ENABLED=true
RADAR_NOTIFICATION_SCHEDULE_TIME=02:00
RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=Europe/LondonRadar checks the configured gate outside local environments before serving the dashboard.
Define the gate in your application, for example:
use Illuminate\Support\Facades\Gate;
Gate::define('viewRadar', fn ($user = null): bool => $user?->is_admin === true);If you publish the config, you can change the gate name by editing the authorization.gate value in config/radar.php.
Publish the configuration file with:
php artisan vendor:publish --tag="radar-config"Useful environment variables:
RADAR_ENABLED=true
RADAR_PATH=radar
RADAR_DASHBOARD_ENABLED=false
RADAR_DB_CONNECTION=sqlite
RADAR_PRUNE_DAYS=30
RADAR_COMMAND_TIMEOUT=60
RADAR_NOTIFICATION_MAIL_TO=security@example.com
RADAR_NOTIFICATION_SLACK_WEBHOOK_URL=
RADAR_NOTIFICATION_DEDUPE_TTL=86400
RADAR_NOTIFICATION_SCHEDULE_ENABLED=true
RADAR_NOTIFICATION_SCHEDULE_TIME=02:00
RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=See the configuration documentation for the full config reference.
Radar reads dependency information from package manager files and installed package metadata.
Composer support includes:
- package inventory from
composer.lock - fallback inventory from
vendor/composer/installed.json - vulnerability findings from
composer audit --format=json - outdated direct dependencies from Composer's outdated output
- abandoned package metadata from Composer package data
NPM support includes:
- package inventory from
package-lock.json - fallback direct package inventory from
node_modules/*/package.json - vulnerability findings from
npm audit --json - outdated direct dependencies from NPM's outdated output
Radar detects the JavaScript package manager from the project lock file and uses that runner when suggesting safe NPM update commands.
| Lock file | Runner | Example recommendation |
|---|---|---|
package-lock.json |
npm | npm update vite |
npm-shrinkwrap.json |
npm | npm update vite |
yarn.lock |
Yarn | yarn up vite |
pnpm-lock.yaml |
pnpm | pnpm update vite |
bun.lock |
Bun | bun update vite |
bun.lockb |
Bun | bun update vite |
If no known lock file exists, Radar falls back to npm.
Run the PHP checks:
composer testRun frontend checks while working on dashboard assets:
npm run test:lint
npm run test:types
npm run buildLaravel Radar is open-sourced software licensed under the MIT license.