mxr576/composer-audit-changes

Composer command for only auditing installed or updated packages in composer.lock

Installs: 77

Dependents: 0

Suggesters: 1

Security: 0

Stars: 2

Watchers: 3

Forks: 0

Open Issues: 4

Type:composer-plugin

1.2.0 2024-12-21 12:32 UTC

This package is auto-updated.

Last update: 2024-12-21 20:39:07 UTC


README

The audit-changes Composer command works similarly to the built-in composer audit command but it only audits newly installed or updated packages since a previous version of composer.lock.

Why

Have you seen a pending CR/MR/PR before that was blocked because a security advisory has just been released for a existing dependency?

This solution can be ideal for auditing only those package changes that were made in a CR/MR/PR but not the complete content on composer.lock.

Installation

$ composer require --dev mxr576/composer-audit-changes

Usage

$ composer audit-changes [path-or-url-or-git-reference-to-previous-version-of-composer-lock] # the default is HEAD:composer.lock

Run composer audit-changes --help to see available command arguments and options.

Background story

This package was created to showcase that maybe there is a better alternative for handling randomly failing builds than adding an opt-out feature to composer audit. See the related issue feature request at composer/composer#11298.