README

Laravel Radar

Introduction

Laravel Radar is a lightweight dependency health dashboard and notifier for Laravel applications.

Radar scans Composer and NPM dependencies, stores a snapshot, and highlights:

vulnerable packages
outdated direct dependencies
abandoned Composer packages
practical, conservative next steps

Radar is intentionally read-only. It reports dependency health and suggests commands, but it does not update dependencies, edit lock files, commit changes, or deploy code for you.

Requirements

PHP 8.3+
Laravel 12 or 13
Composer
Node/NPM available when scanning JavaScript dependencies

Installation

Install Radar with Composer:

composer require joshdonnell/radar

Publish Radar's config file, migration, and dashboard assets:

php artisan radar:install

Run the migration:

php artisan migrate

Usage

Run a dependency scan:

php artisan radar:scan

Open the dashboard at:

/radar

The dashboard path can be changed with:

RADAR_PATH=internal/radar

Radar's dashboard is enabled outside production by default and disabled in production by default. Production applications can still run scans and send notifications. Only enable the dashboard in production when it is protected by trusted authentication and authorization.

RADAR_DASHBOARD_ENABLED=true

Commands

Radar currently ships these Artisan commands:

php artisan radar:scan
php artisan radar:notify
php artisan radar:clear

`radar:scan`

Scans application dependencies and stores a Radar snapshot.

php artisan radar:scan

Scan a different project path:

php artisan radar:scan --path=/path/to/app

`radar:notify`

Sends deduplicated vulnerability notifications for the latest stored scan.

php artisan radar:notify

Run a fresh scan before notifying:

php artisan radar:notify --scan

Notifications are only sent when vulnerabilities exist and at least one notification route is configured.

`radar:clear`

Clears stored Radar scan history.

php artisan radar:clear

Skip the confirmation prompt:

php artisan radar:clear --force

Dashboard

The dashboard shows the latest stored scan, including:

health score
latest scan time
Composer and NPM package inventory
vulnerability findings
outdated direct dependency findings
abandoned Composer package findings
suggested safe commands or review steps where Radar can infer them

Notifications

Radar uses Laravel Notifications. Your application still owns the normal mail and Slack transport configuration; Radar only stores the on-demand notification routes it should target.

Configure mail recipients:

RADAR_NOTIFICATION_MAIL_TO=security@example.com,dev@example.com

Configure Slack:

RADAR_NOTIFICATION_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...

Send notifications manually:

php artisan radar:notify

Or scan first, then notify:

php artisan radar:notify --scan

Repeated notifications for the same vulnerability finding set are deduplicated for the configured TTL:

RADAR_NOTIFICATION_DEDUPE_TTL=86400

Scheduling

Radar preconfigures a nightly scheduled radar:notify --scan run at 02:00, so each notification run starts with a fresh scan.

Your application still needs Laravel's scheduler running in production, usually via a cron entry that runs php artisan schedule:run every minute.

Customize or disable Radar's built-in schedule:

RADAR_NOTIFICATION_SCHEDULE_ENABLED=true
RADAR_NOTIFICATION_SCHEDULE_TIME=02:00
RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=Europe/London

Authorization

Radar checks the configured gate outside local environments before serving the dashboard.

Define the gate in your application, for example:

use Illuminate\Support\Facades\Gate;

Gate::define('viewRadar', fn ($user = null): bool => $user?->is_admin === true);

If you publish the config, you can change the gate name by editing the authorization.gate value in config/radar.php.

Configuration

Publish the configuration file with:

php artisan vendor:publish --tag="radar-config"

Useful environment variables:

RADAR_ENABLED=true
RADAR_PATH=radar
RADAR_DASHBOARD_ENABLED=false
RADAR_DB_CONNECTION=sqlite
RADAR_PRUNE_DAYS=30
RADAR_COMMAND_TIMEOUT=60
RADAR_NOTIFICATION_MAIL_TO=security@example.com
RADAR_NOTIFICATION_SLACK_WEBHOOK_URL=
RADAR_NOTIFICATION_DEDUPE_TTL=86400
RADAR_NOTIFICATION_SCHEDULE_ENABLED=true
RADAR_NOTIFICATION_SCHEDULE_TIME=02:00
RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=

See the configuration documentation for the full config reference.

Dependency sources

Radar reads dependency information from package manager files and installed package metadata.

Composer support includes:

package inventory from composer.lock
fallback inventory from vendor/composer/installed.json
vulnerability findings from composer audit --format=json
outdated direct dependencies from Composer's outdated output
abandoned package metadata from Composer package data

NPM support includes:

package inventory from package-lock.json
fallback direct package inventory from node_modules/*/package.json
vulnerability findings from npm audit --json
outdated direct dependencies from NPM's outdated output

Supported Node runners

Radar detects the JavaScript package manager from the project lock file and uses that runner when suggesting safe NPM update commands.

Lock file	Runner	Example recommendation
`package-lock.json`	npm	`npm update vite`
`npm-shrinkwrap.json`	npm	`npm update vite`
`yarn.lock`	Yarn	`yarn up vite`
`pnpm-lock.yaml`	pnpm	`pnpm update vite`
`bun.lock`	Bun	`bun update vite`
`bun.lockb`	Bun	`bun update vite`

If no known lock file exists, Radar falls back to npm.

Testing

Run the PHP checks:

composer test

Run frontend checks while working on dashboard assets:

npm run test:lint
npm run test:types
npm run build

License

Laravel Radar is open-sourced software licensed under the MIT license.

joshdonnell / radar

Maintainers

Package info

Statistics

Security