Fix Outdated PHP Composer Dependencies PHP
Scan composer.json for CVEs and get a patched version. Fix outdated PHP packages — no CLI install needed.
⚠ The Problem
composer outdated shows stale packages but doesn't generate a secure composer.json. local-php-security-checker requires CLI setup.
Bad Configuration — composer.json
{
"require": {
"laravel/framework": "^8.0",
"guzzlehttp/guzzle": "^7.0.1"
}
}
Fixed Configuration — composer.json
{
"require": {
"laravel/framework": "^11.0",
"guzzlehttp/guzzle": "^7.9.2"
}
}
✓ Fix
laravel/framework 8.x has multiple CVEs. guzzlehttp/guzzle 7.0.1 is affected by CVE-2022-31090 (HIGH). Update to safe versions above. After updating, run composer install.
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan composer.json for CVEs without CLI?
Paste your composer.json into PackageFix. It queries the OSV Packagist advisory database live.
Does PackageFix support composer.lock?
Yes. Drop composer.lock alongside composer.json for full transitive package scanning.
What PHP packages have the most CVEs?
laravel/framework, guzzlehttp/guzzle, symfony components, and monolog/monolog are the most frequently CVE-flagged PHP packages.
How do I fix a CVE in a Laravel dependency?
Update the constraint in composer.json to the safe version range, then run composer update .