Security advisories as a simple composer exclusion list, updated daily

Last update: Jun 23, 2022

Roave Security Advisories

Hourly build Downloads

This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

Installation

composer require --dev roave/security-advisories:dev-latest

Usage

This package does not provide any API or usable classes: its only purpose is to prevent installation of software with known and documented security issues. Simply add "roave/security-advisories": "dev-latest" to your composer.json "require-dev" section and you will not be able to harm yourself with software with known security vulnerabilities.

For example, try following:

composer require --dev roave/security-advisories:dev-latest
# following commands will fail:
composer require symfony/symfony:2.5.2
composer require zendframework/zendframework:2.3.1 

The checks are only executed when adding a new dependency via composer require or when running composer update: deploying an application with a valid composer.lock and via composer install won't trigger any security versions checking.

You can manually trigger a version check by using the --dry-run switch on an update while not doing anything. Running composer update --dry-run roave/security-advisories is an effective way to manually trigger a security version check.

roave/security-advisories for enterprise

Available as part of the Tidelift Subscription.

The maintainers of roave/security-advisories and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.

You can also contact us at [email protected] for looking into security issues in your own project.

Stability

This package can only be required in its dev-latest version: there will never be stable/tagged versions because of the nature of the problem being targeted. Security issues are in fact a moving target, and locking your project to a specific tagged version of the package would not make any sense.

This package is therefore only suited for installation in the root of your deployable project.

Sources

This package extracts information about existing security issues in various composer projects from the FriendsOfPHP/security-advisories repository and the GitHub Advisory Database.

GitHub

https://github.com/Roave/SecurityAdvisories
Comments
  • 1. drupal/entity marked insecure?

    I see that since yesterday you've added Drupal Contrib Modules to your great package.

    I like that, but it currently breaks my composer on all my D8-projects, because all versions of drupal/entity are marked as unsafe:"drupal/entity": ">=1,<1.9"

    At least the latest (1.0-rc1) version has been found safe by the Drupal Security Team: https://www.drupal.org/project/entity

    Reviewed by Boegie at 2019-02-23 13:04
  • 2. Latest commit conflicts with symfony/framework-bundle: 4.4.*

    Hello.

    We are still using symfony 4.4.* on our project, but commit https://github.com/Roave/SecurityAdvisories/commit/94a98d36257ecb87064ae581a2e04b381119ac57 (latest commit currently) conflicts with all versions symfony/framework-bundle from 4.4 branch (branch 4.4 still maintained https://symfony.com/releases/4.4). I suppose that this is because of https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms, but this is relates to package with verions 5 and 6.

    Would you be so kind to clarify, why do you have this in composer.json? Would you be so kind to fix this?

    Thank you in advance.

    Reviewed by vkhramtsov at 2022-02-01 07:19
  • 3. laravel/laravel is not a valid package to include

    https://github.com/Roave/SecurityAdvisories/commit/bc10788e8d1fc3c962d92faa2442bd1852c08c03#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34R139 is not a valid inclusion in this package because it is unactionable and prevents existing Laravel projects from updating their dependencies while requiring this package.

    The inclusion of that line stems from https://github.com/advisories/GHSA-246r-r2wf-frhx which is a security advisory about a weak default value in the laravel/laravel project demo / template repository. The problem stems from the fact that laravel/laravel is not a dependency that is pulled into other projects, it is instead a base point that other projects start from.

    This causes issues with a large amount of existing (and new) Laravel projects because most people don't change the name property in their project's composer.json file, meaning that a significant number of projects out there have name: laravel/laravel in their composer.json files, which means that this package will (falsely) now conflict with their very own project's composer.json file.

    The specific error message presented to users in the above case is the following:

    Problem 1
        - laravel/laravel is present at version 1.0.0+no-version-set and cannot be modified by Composer
        - roave/security-advisories dev-master conflicts with roave/security-advisories dev-master.
        - Root composer.json requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
    
    Reviewed by LukeTowers at 2021-09-02 17:31
  • 4. Conflict with typo3-cms

    typo3/cms-core v10.4.19 conflicts with roave/security-advisories dev-latest.

    I can't update my TYPO3 since the new security releases are online.

    Is this a bug from roave or TYPO3?

    Reviewed by Bonnography at 2021-08-12 07:16
  • 5. Optimize duplicate conflicting versions

    When a package has several vulnerabilities, the generated conflict constraint may be much more complex than necessary. See for instance the rule for FOSUserBundle (much simpler than the symfony one):

    >=1.2.0,<1.2.1|>=1.2.0,<1.2.4|>=1.2.0,<1.3.0|>=1.3.0,<1.3.5|>=1.2.0,<1.2.5|>=1.3.0,<1.3.3
    

    The third constraint is a superset of the first 2 ones (and of the 5th one). Deduplicating constraints would make the dependency resolution much easier for Composer later.

    Reviewed by stof at 2015-01-27 19:11
  • 6. "composer outdated" command reports this package as outdated in CI jobs

    Since there are no stable releases, only dev-master, our CI jobs are failed in weird way.

    When I run composer outdated --direct --minor-only --strict locally, I have 0 exit code and everything is OK. In Gitlab CI job I get:

    roave/security-advisories dev-master ! dev-master 6acf968 Prevents installation of composer packages with known security vulnerabilities: no API, simply require it
    

    AFAIS 6acf968 is latest commit and we have it in composer.lock so I don't get why COmposer complains about it.

    Anyway, do you consider providing stable releases? This shouldn't add much to maintaining time (just create tags) and it would bring added value:

    • Do not depend on unstable package (dev-master) in projects
    • composer outdated would report this package in the same way like others

    If all tags would be in 1.x branch, constraint ~1.0 would work the same as dev-master. So this is only up to maintainers it they want to provide tags (releases).

    Reviewed by Wirone at 2018-12-04 10:19
  • 7. [Feature Request] improve usability for CI cases when SecurityAdvisories is pulled in by a dependency

    Today the Travis tests for one of my bundles started failing with no apparent reason in its code (log: https://travis-ci.org/kaliop-uk/ezmigrationbundle/jobs/395645840 )

    The travis log tells me that composer failed to install the dependencies - but in a quite non obvious way, as the offending package is listed as being 'roave/security-advisories dev-master', instead of the one that SecurityAdvisories conflicts with.

    It might well be that this is rather a composer problem with not giving more detailed information about the conflict - but in the current situation it is hard for me to find out which package prevents composer to achieve an installation, as the list of dependencies is huge.

    It is also not as easy to simply 'not include SecurityAdvisories' in the composer.json that I use for Travis tests, as it is in fact pulled in by a dependency (my bundle is a plugin for a cms, and it pulls in the cms as dependency when running its test suite. The cms seems to be the one now including SecurityAdvisories).

    And all things considered, I'd rather still run my tests against a complete matrix of versions of the supported core system, even though some of those might now be known to have security issues.

    It would be nice to have at least some tips for working around this situation in the Readme file...

    Reviewed by gggeek at 2018-06-22 22:06
  • 8. Why was ignition 1.x removed from the conflict exception?

    Change/blame seen here: https://github.com/Roave/SecurityAdvisories/blame/bac54e18ee767f065d88b81c8517fb21cd6414ab/composer.json#L98

    Was changed in commit: https://github.com/Roave/SecurityAdvisories/commit/bad3752fd78f4a07acb24e56fec0366aa711f150

    I'm not quite seeing any recent change in https://github.com/FriendsOfPHP/security-advisories/tree/master/facade/ignition

    Had a little monologue about it here šŸ˜…: https://twitter.com/HenkPoley/status/1460186738689773569

    It currently blocks installing Laravel 6.x for me. Which is still in security support for about a year, so I'd be surprised if there actually was an unfix{ed,able} problem.

    Reviewed by HenkPoley at 2021-11-15 12:39
  • 9. How to integrate into existing project?

    I'm on an old project and would like to add this tool. However, I'm getting this result:

    $ composer require --dev roave/security-advisories:dev-master
        1/2:	http://packagist.org/p/provider-latest$272b2375b59d963722fae33cda2f21391d74cabff9314e72be645ef506ffb148.json
        2/2:	http://packagist.org/p/provider-2018-10$e848d0ea86ecaa3b0f19d91a3e0c77a2ace231a51e677fdfbe6425d20a82ece2.json
        Finished: success: 2, skipped: 0, failure: 0, total: 2
    ./composer.json has been updated
    Loading composer repositories with package information
    Updating dependencies (including require-dev)
    Your requirements could not be resolved to an installable set of packages.
    
      Problem 1
        - Installation request for ā€¦ -> satisfiable by ā€¦.
        - roave/security-advisories dev-master conflicts with ā€¦.
        - Installation request for roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master].
    
    
    Installation failed, reverting ./composer.json to its original content.
    

    The composer why-not is not helpful either.

    $ composer why-not --recursive roave/security-advisories dev-master
    
    
      [InvalidArgumentException]
      Could not find package "roave/security-advisories" in your project
    
    
    prohibits [-r|--recursive] [-t|--tree] [--] <package> [<constraint>]
    

    Is there any known way to handle this situation? I mean something more useful and precise other than "just update everything".

    Reviewed by havvg at 2019-01-03 16:12
  • 10. Documented dry run command does not check locked dependencies

    The README states that the following command is sufficient to manually trigger a security version check (see #59).

    composer update --dry-run roave/security-advisories
    

    This does not seem to work however.

    I made an example repository (https://github.com/pixelbrackets/SecurityAdvisoriesTest/) with the TYPO3 CMS locked to version 10.4.5. The skeleton project has the core package Ā»typo3/cms-coreĀ« as dependency. And I added Ā»roave/security-advisoriesĀ« as dependency as well.

    composer show typo3/cms-core
    name     : typo3/cms-core
    descrip. : The core library of TYPO3.
    keywords : 
    versions : * v10.4.5
    
    composer show roave/security-advisories
    name     : roave/security-advisories
    descrip. : Prevents installation of composer packages with known security vulnerabilities: no API, simply require it
    keywords : 
    versions : * dev-master
    

    A new TYPO3 version 10.4.6, containing security fixes, was released today: https://packagist.org/packages/typo3/cms-core#v10.4.6

    The version constraint is already merged into Ā»roave/security-advisoriesĀ«: https://github.com/Roave/SecurityAdvisories/blob/master/composer.json#L216

    The given command should now return any kind of information, that 10.4.5 is not valid anymore. This is not the case however.

    I use Composer version 1.10.9.

    Reviewed by pixelbrackets at 2020-07-28 11:34
  • 11. Unclear why laravel-filemanager is marked as insecure

    Hi,

    I noticed that unisharp/laravel-filemanager has been added to the conflicts in the following commit: https://github.com/Roave/SecurityAdvisories/commit/5369c567667640bc617d0c6b1ba7c156128ccec5. The commit description links to a codeigniter security advisory, which doesn't seem relevant for this package. I've noticed the following issue on the filemanager's repository: https://github.com/UniSharp/laravel-filemanager/issues/1096, does it have anything to do with this?

    Reviewed by MaxKorlaar at 2022-01-11 10:59
  • 12. Clarify package usage

    Split installation and usage description.

    Extend description how the package works and when it runs.

    Explain need for Composer 2 in manual version checks (see #66)

    Reviewed by pixelbrackets at 2021-08-13 13:05
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Apr 23, 2022
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Jun 23, 2022
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

Jun 23, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Jun 16, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

Jun 16, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

Jun 17, 2022
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Jun 21, 2022
FunboxEasy - Proving Grounds - Offensive Security
FunboxEasy - Proving Grounds - Offensive Security

FunboxEasy - Proving Grounds - Offensive Security

Oct 28, 2021
Php Security Class

Security Advanced Security Class for Php Features Secure From XSS, CSRF, SQL Injection, BASE64, RFI, LFI, Command Injection, Block Suspicious Request

Dec 23, 2021
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

Apr 13, 2022
PHP frontend for security.symfony.com

SensioLabs Security Checker WARNING: Don't use this piece of software anymore as the underlying web service will stop working at the end of January 20

Jun 24, 2022
Security issues for Magento have left a big question mark in the community of online stores
Security issues for Magento have left a big question mark in the community of online stores

Magento 2 Security extension FREE. Security extension gives store owners the ability to detect the IP addresses that are intentionally attacking their store at any given time. Therefore, they have timely measures to prevent this issue such as blocking those IP addresses or sending warning emails to store owners.

Apr 1, 2022
Security Component - Guard

The Guard component brings many layers of authentication together, making it much easier to create complex authentication systems where you have total control.

Jun 29, 2022
Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSRF tokens.

Security Component - CSRF The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSR

Jun 27, 2022
Web page performance/seo/security/accessibility analysis, browser-less for PHP

Web page performance/seo/security/accessibility analysis, browser-less for PHP

Jun 12, 2022
Test a method against a list of XSS known.

php-xss-tests Test a method against a list of XSS known. How to run Just execute "run.sh", it will start a docker container to do all stuff. How I kno

Oct 25, 2021
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.
A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Jun 21, 2022