Preventing Installing Composer Dependencies with Known Security Vulnerabilities

Ash Allen
4 min readJan 11, 2023

--

Introduction

A key piece of building modern-day web applications with PHP involves using packages and libraries built by other developers around the world.

As a result of this, it means there can be a lot of moving pieces that you don’t always have control over. So it can be possible for you to install dependencies in your PHP projects that have known vulnerabilities. Whether the vulnerabilities be bugs that were accidentally introduced, or supply-chain attacks that were intentionally added.

To reduce the chance of introducing vulnerable dependencies into your projects, you can use tools such as “ Roave Security Advisories” ( roave/security-advisories).

So in this Quickfire article, we’re going to discuss how you can use Roave Security Advisories to prevent you from installing Composer dependencies with known security vulnerabilities into your PHP projects.

What is Roave Security Advisories?

Security Advisories is a Composer package by Roave that stops you from being able to install other Composer dependencies that have known vulnerabilities.

It’s really simple to start using (we’ll take a look at that a bit further down).

The package doesn’t really contain any actual PHP code, and instead is mainly just a composer.json file that causes conflicts in Composer when trying to install vulnerable dependencies.

There are other tools out there, such as Enlightn and Dependabot, that help you to detect dependencies in your project with security vulnerabilities. But I’d like to think of these types of tools more as being “reactive”. By that, I mean that they can alert you of vulnerable dependencies after you’ve installed them in your project. This can result in you introducing potential security holes into your applications without being aware at first. This is by no means a discredit to any of these types of tools though. Vulnerabilities are always being discovered in frameworks, packages, and libraries. So being able to detect them is a great way to stay on top of your project’s security.

However, Security Advisories is a little bit different and can be treated as more of a “proactive” tool. By this, I mean that it actually stops you from being able to install dependencies with known vulnerabilities in the first place. But it can also be used as an auditing tool to “reactively” detect vulnerable dependencies already installed in your application.

It’s worth remembering that the package will only prevent you from installing dependencies with known vulnerabilities. So this means it is still possible to install vulnerable packages if the vulnerabilities haven’t yet been detected and documented.

How to Use Roave Security Advisories

To get started with using Security Advisories, you can add it as require-dev dependency in your project by running the following command in your project root:

1 composer require --dev roave/security-advisories:dev-latest

If you aren’t currently using any dependencies that have known vulnerabilities, roave/security-advisories should now be successfully installed. However, if you do have any vulnerable packages, the installation will fail and show you which package is causing the issue.

Now, whenever you run composer require or composer update, if any of the packages that are being installed or updated have known vulnerabilities, Security Advisories will prevent the install and force Composer to throw an error.

As an example, let’s imagine that we want to install a version of Laravel (8.22.1) that has a known vulnerability. If we were to run composer require laravel/framework:8.22.1, Composer would output the following in our terminal:

./composer.json has been updated

Running composer update roave/security-advisories

Loading composer repositories with package information

Updating dependencies

Your requirements could not be resolved to an installable set of packages.

Problem 1

- laravel/framework is locked to version v8.22.1 and an update of this package was not requested.

- roave/security-advisories dev-latest conflicts with illuminate/database <6.20.26|>=7,<7.30.5|>=8,<8.40 (laravel/framework v8.22.1 replaces illuminate/database self.version).

- Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

As you can see, Security Advisories prevented this version of laravel/framework from being installed.

It’s important to remember that these checks are only run when running the composer require and composer update commands. So if you just run composer install and have a valid composer.lock file, it won't detect any vulnerabilities in your dependencies.

However, if you want to check your current dependencies for any vulnerabilities that may have been discovered since you last updated your dependencies, you can run the following command:

composer update --dry-run roave/security-advisories

This will perform a dry run of updating your dependencies but not actually make any changes to your vendor files.

Because of the nature of the package and how it works, there aren’t any tagged versions of it. This means you’ll need to keep using the dev-latest version so that each time you update the package, you'll get an updated list of vulnerable dependencies.

Conclusion

Hopefully, this post should have shown you how you can start using Roave Security Advisories in your PHP projects to prevent you from installing dependencies with known security vulnerabilities.

If you enjoyed reading this post, I’d love to hear about it. Likewise, if you have any feedback to improve the future ones, I’d also love to hear that too.

You might also be interested in checking out my 220+ page ebook “ Battle Ready Laravel” which covers similar topics in more depth.

If you’re interested in getting updated each time I publish a new post, feel free to sign up for my newsletter.

Keep on building awesome stuff! 🚀

Originally published at https://ashallendesign.co.uk.

--

--

Ash Allen
Ash Allen

Written by Ash Allen

I’m a Laravel web developer based in the UK. I specialise in building websites and systems for small businesses to help them grow and increase their sales.