# Laravel Insecure Package Versions: How to Identify and Replace Known-Vulnerable Dependencies > Your project requires package versions with known security issues. Update to patched versions or find secure alternatives. **Severity:** high | **Category:** Application Security --- ## The Issue Beyond published CVEs (covered by composer audit), some package versions have known security weaknesses that aren't formally tracked as advisories — deprecated authentication methods, insecure defaults, broken encryption implementations, or known bypass techniques. These show up as specific version ranges that the security community has flagged as unsafe, even if no formal CVE exists yet. ## Steps to Fix ### 1. Review your dependency versions List all installed packages with their versions: composer show --format=json | jq '.installed[] | {name, version}' Check for outdated packages: composer outdated --direct Focus on security-critical packages: authentication, encryption, HTTP clients, file handling, and database drivers. ### 2. Update to secure versions Update packages flagged as insecure: # Update specific package composer update vendor/package # Update with version constraint change if needed composer require vendor/package:^3.0 # Check what would change before updating composer update --dry-run vendor/package Always run tests after updating: php artisan test ### 3. Replace abandoned or permanently insecure packages Some packages are abandoned and will never receive security fixes: # Check if a package is abandoned composer show vendor/package | grep -i abandon # Find alternatives on Packagist # Look for the 'Replacement package' note on the Packagist page Common replacements: - mpociot/teamwork → Use Laravel Jetstream teams - tymon/jwt-auth → Laravel Sanctum or Passport - zizaco/entrust → spatie/laravel-permission ## Verification Verify all packages are at secure versions: composer outdated --direct composer audit Run php artisan stackshield:scan --check=SS056 to check for known-insecure version ranges. ## Prevention Use Dependabot or Renovate for automated dependency updates. Pin version constraints carefully — use ^ for automatic minor/patch updates. Review changelogs for security-related changes. Subscribe to the GitHub repositories of your critical dependencies. --- ## Frequently Asked Questions ### Should I always use the latest version of every package? Not blindly. Major version updates can introduce breaking changes. Update security-critical packages immediately. For others, stay current with minor/patch versions and plan major upgrades deliberately. The key is to not fall so far behind that updating becomes painful. ### How do I know if a package is security-critical? Packages that handle authentication, encryption, file uploads, HTTP requests, user input processing, or database queries are security-critical. Framework packages (laravel/framework, symfony/*) are also critical since they form the foundation of your application.