montag-webstudios/composer-update-guard

Composer plugin that requires confirmation before a full 'composer update'. Protects teams from accidental full dependency updates and supply-chain attacks. Targeted updates (composer update vendor/package) stay allowed.

Maintainers

Package info

github.com/montag-webstudios/composer-update-guard

Type:composer-plugin

pkg:composer/montag-webstudios/composer-update-guard

Statistics

Installs: 2

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2026-05-29 07:27 UTC

Requires

  • php: >=8.1
  • composer-plugin-api: ^2.0

Requires (Dev)

MIT 15986c5199680340937efd8c21ef6e4e6136fad0

  • Montag Webstudios <phillip.schmanau.woop@montag.ch>

securityplugincomposerupdateguardsupply-chain

This package is auto-updated.

Last update: 2026-05-29 07:30:43 UTC

README

A global Composer plugin that requires confirmation before a full composer update. It prevents accidental full dependency updates across the team — a common entry point for supply-chain attacks.

  • composer updateguarded (prompt; aborts with exit code 1 in --no-interaction mode)
  • composer update vendor/packageallowed (targeted, reviewed update)
  • composer update --dry-runallowed (writes nothing)
  • composer update --lockallowed (lock hash only)
  • composer install, composer require …, composer remove …untouched

The plugin is installed globally per development machine and therefore automatically protects all of that user's projects.

Installation (once per team member)

Via Packagist

composer global config allow-plugins.montag-webstudios/composer-update-guard true
composer global require montag-webstudios/composer-update-guard

Directly from the Git repository (without Packagist)

composer global config repositories.update-guard vcs https://github.com/montag-webstudios/composer-update-guard
composer global config allow-plugins.montag-webstudios/composer-update-guard true
composer global require montag-webstudios/composer-update-guard

The allow-plugins.montag-webstudios/composer-update-guard true line is required as of Composer 2.2 so the plugin is allowed to load. If omitted, Composer will prompt interactively on first run.

Verify it is active

composer global show montag-webstudios/composer-update-guard
cd any/project && composer update --dry-run   # runs through
cd any/project && composer update             # prompts

Uninstall

composer global remove montag-webstudios/composer-update-guard

Publishing (maintainers)

  1. Push this repository to https://github.com/montag-webstudios/composer-update-guard.
  2. Submit it on https://packagist.org (Submit → repository URL). Add the GitHub webhook so Packagist auto-updates on push.
  3. Tag a release (e.g. git tag v1.0.0 && git push --tags) so a stable version is installable.

Notes

  • Acts only locally on the development machine. CI should use composer install (lock-based) instead of composer update anyway; an accidental composer update --no-interaction in a script is stopped by the guard with exit code 1.
  • If you fork this under a different vendor, adjust name, the autoload namespace, extra.class in composer.json, and the namespace in src/.