mxr576 / composer-audit-changes
Composer command for only auditing installed or updated packages in composer.lock
Installs: 74
Dependents: 0
Suggesters: 1
Security: 0
Stars: 2
Watchers: 3
Forks: 0
Open Issues: 3
Type:composer-plugin
Requires
- php: ~8.1.0 || ~8.2.0
- composer-plugin-api: ^2.3
- composer/composer: ^2.6.0
Requires (Dev)
- ergebnis/composer-normalize: ^2.30
- ergebnis/license: ^2.1
- friendsofphp/php-cs-fixer: ^3.16
- phpstan/phpstan: ^1.10
- phpstan/phpstan-deprecation-rules: ^1.0
README
The audit-changes Composer command works similarly to the built-in composer audit command but it only audits newly
installed or updated packages since a previous version of composer.lock.
Why
Have you seen a pending CR/MR/PR before that was blocked because a security advisory has just been released for a existing dependency?
This solution can be ideal for auditing only those package changes that were made in a CR/MR/PR but not the complete content on composer.lock.
Installation
$ composer require --dev mxr576/composer-audit-changes
Usage
$ composer audit-changes [path-or-url-or-git-reference-to-previous-version-of-composer-lock] # the default is HEAD:composer.lock
Run composer audit-changes --help to see available command arguments and options.
Background story
This package was created to showcase that maybe there is a better alternative for handling randomly failing builds
than adding an opt-out feature to composer audit. See the related issue feature request at composer/composer#11298.