Composer
首页 包列表 提交包 常见问题 关于

innobrain/composer-fix 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

innobrain/composer-fix

Composer 安装命令:

composer require innobrain/composer-fix

包简介

Fixes security vulnerabilities reported by composer audit by updating the affected packages.

README 文档

README

A Composer plugin that fixes known vulnerabilities like npm audit fix: it audits installed packages and updates the ones with published advisories to a version that is no longer affected.

Installation

Install it globally so composer fix is available in every project:

composer global require innobrain/composer-fix

Composer will ask to allow the plugin the first time — confirm, or add it to allow-plugins in your global composer.json. Registers a single command, composer fix.

Usage

composer fix

Audits installed packages against your repositories' advisories (Packagist by default) and runs a targeted composer update on the affected ones, staying within your existing composer.json constraints. A package whose safe version is out of range is reported as still vulnerable rather than changed.

Bumping constraints (--force)

composer fix --force

Rewrites affected root constraints to the lowest safe version before updating — the smallest bump that removes the vulnerability, like npm audit fix --force. Can introduce breaking changes, so review the composer.json diff. The constraint is patch-level (e.g. ^5.4.20) so it also excludes the vulnerable lower versions.

Dry run

composer fix --dry-run

Shows the plan without touching composer.json, the lock file, or vendor/.

Options

Option Description
--force Bump constraints when the safe version is out of range.
--dry-run Preview the plan without changing anything.
--no-dev Ignore require-dev packages.
-w, --with-dependencies Also update dependencies of affected packages (except root requirements).
-W, --with-all-dependencies Also update dependencies of affected packages, including root requirements.
--ignore-unreachable Ignore repositories that are unreachable or return a non-200.

Pool-filtering plugins (e.g. soak-time)

composer fix never picks a version another plugin would refuse to install. Both the update and --force selection go through Composer's normal pool creation (PRE_POOL_CREATE), so a plugin that prunes the pool — such as soak-time — also prunes what composer fix considers. If the only safe version is held back, --force reports it and leaves composer.json unchanged instead of bumping to a version that won't resolve.

How it works

  1. Match installed packages against advisories via Composer's advisory API.
  2. Build the list of affected packages.
  3. With --force, resolve the lowest safe version of each affected root requirement and rewrite its constraint.
  4. Run a targeted composer update on the affected packages.
  5. Re-audit and report anything still vulnerable.

Development

composer install
composer test

License

MIT

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 2
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP
访问仓库

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-06-18