PHP Composer Dependency Security Audit
Scan composer.json for CVEs without CLI tools. Paste your manifest and get a fixed composer.json with safe package versions. Supports composer.lock for transitive scanning.
How to scan PHP dependencies
Paste your composer.json into PackageFix. The tool queries the OSV vulnerability database live and returns:
- CVE table with severity badges (CRITICAL, HIGH, MEDIUM, LOW)
- CISA KEV flags — actively exploited packages highlighted in red
- Side-by-side diff: your versions vs fixed versions
- Download fixed composer.json + changelog as .zip
- Renovate config + GitHub Actions workflow template
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan PHP dependencies for CVEs?
Paste your composer.json into PackageFix. It queries the OSV vulnerability database live and returns a CVE table with fix versions.
What PHP packages have the most CVEs?
Check the PackageFix fix guides for the most commonly CVE-flagged PHP packages.
Does PackageFix support PHP lockfiles?
Yes. Drop your lockfile alongside composer.json for full transitive dependency scanning.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.