# Laravel Known Dependency Vulnerabilities: How to Find and Fix Insecure Composer Packages > Your composer.lock contains packages with published security advisories. Update affected packages or apply patches before attackers exploit known CVEs. **Severity:** high | **Category:** Application Security --- ## The Issue PHP packages with known security vulnerabilities are published in the GitHub Advisory Database and the PHP Security Advisories Database. If your composer.lock pins a version with a known CVE, your application is vulnerable to published exploits. Attackers specifically target known vulnerabilities because the exploit details are public and the fix is documented — they just need to find applications that haven't updated yet. ## Steps to Fix ### 1. Check for known vulnerabilities Use Composer's built-in audit command: composer audit This checks your installed packages against the PHP Security Advisories Database and GitHub Advisory Database. It reports: - Package name and version - Advisory ID (CVE or GHSA) - Severity and description - Fixed version ### 2. Update affected packages Update packages with known advisories: # Update a specific package composer update vendor/package --with-dependencies # Update all packages composer update # If a major version update is required composer require vendor/package:^2.0 After updating, run your test suite to verify nothing breaks: php artisan test ### 3. Handle packages that cannot be updated immediately If an update introduces breaking changes you cannot address immediately: 1. Read the advisory to understand the attack vector 2. Implement a workaround or mitigation (e.g., input validation, WAF rule) 3. Create a ticket to track the update 4. Set a deadline — do not leave known vulnerabilities indefinitely For abandoned packages with no fix available, find an alternative: composer suggests --by-package vendor/package ### 4. Add audit to your CI pipeline Add a step that fails the build on known advisories: # GitHub Actions - name: Security Audit run: composer audit --format=json # Or use Roave Security Advisories to prevent insecure installs composer require --dev roave/security-advisories:dev-latest This meta-package conflicts with any package that has a known advisory, preventing installation. ## Verification Run the audit and verify no advisories remain: composer audit # Output should be: No security vulnerability advisories found. Run php artisan stackshield:scan --check=SS030 to verify. ## Prevention Run composer audit in CI on every pull request. Use Dependabot or Renovate to get automatic update PRs. Subscribe to the PHP Security Advisories mailing list. Pin exact versions in composer.json and update deliberately. Use StackShield to monitor dependencies continuously. --- ## Frequently Asked Questions ### How often should I run composer audit? On every CI run and at least weekly for production applications. New advisories are published regularly. Dependabot or a similar tool can automate this by opening PRs when new advisories affect your dependencies. ### What if the vulnerable package is a transitive dependency? Use composer why vendor/vulnerable-package to find which of your direct dependencies requires it. Then update the direct dependency, which should pull in the fixed transitive version. If the direct dependency hasn't updated yet, open an issue on their repository.