← 返回命令列表

Linux command

composer-audit 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Audit dependencies

composer audit

Audit in JSON format

composer audit --format=json

Audit and exit with error

composer audit --locked

说明

composer audit performs security vulnerability scanning for PHP dependencies by querying the official Packagist security advisories database. Introduced in Composer 2.4, it provides a built-in mechanism to identify packages with known security issues, eliminating the need for third-party security scanning tools. The command analyzes both composer.json requirements and the locked versions in composer.lock, reporting any packages that have published Common Vulnerabilities and Exposures (CVE) entries or security advisories. Results include the vulnerability severity, affected versions, and recommended remediation steps. This functionality mirrors npm audit for JavaScript and bundle audit for Ruby, providing PHP developers with a standardized way to maintain secure dependency chains. It's particularly valuable in CI/CD pipelines where automated security checks help prevent vulnerable code from reaching production.

参数

--format _format_
Output format: table, plain, json, summary.
--locked
Audit packages from composer.lock.
--no-dev
Ignore development dependencies.

FAQ

What is the composer-audit command used for?

composer audit performs security vulnerability scanning for PHP dependencies by querying the official Packagist security advisories database. Introduced in Composer 2.4, it provides a built-in mechanism to identify packages with known security issues, eliminating the need for third-party security scanning tools. The command analyzes both composer.json requirements and the locked versions in composer.lock, reporting any packages that have published Common Vulnerabilities and Exposures (CVE) entries or security advisories. Results include the vulnerability severity, affected versions, and recommended remediation steps. This functionality mirrors npm audit for JavaScript and bundle audit for Ruby, providing PHP developers with a standardized way to maintain secure dependency chains. It's particularly valuable in CI/CD pipelines where automated security checks help prevent vulnerable code from reaching production.

How do I run a basic composer-audit example?

Run `composer audit` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does --format _format_ do in composer-audit?

Output format: table, plain, json, summary.