### Composer Installation Failure Example Source: https://context7.com/roave/securityadvisories/llms.txt Demonstrates how Composer fails to install vulnerable packages when Roave Security Advisories is present, showing conflict errors. ```bash # These commands will FAIL with conflict errors composer require symfony/symfony:2.5.2 # Error: roave/security-advisories conflicts with symfony/symfony 2.5.2 composer require zendframework/zendframework:2.3.1 # Error: roave/security-advisories conflicts with zendframework/zendframework 2.3.1 ``` -------------------------------- ### Install Roave Security Advisories Source: https://context7.com/roave/securityadvisories/llms.txt Installs the Roave Security Advisories package as a development dependency using Composer. ```bash composer require --dev roave/security-advisories:dev-latest ``` -------------------------------- ### Composer.json Version Pinning Source: https://context7.com/roave/securityadvisories/llms.txt Example of how to pin the Roave Security Advisories package in the composer.json file as a development dependency. ```json { "require-dev": { "roave/security-advisories": "dev-latest", "phpunit/phpunit": "^9.0", "other-dev-tools": "^1.0" } } ``` -------------------------------- ### Composer Conflict Version Patterns Source: https://context7.com/roave/securityadvisories/llms.txt Examples of various version constraint syntaxes used in Composer's 'conflict' declarations to specify vulnerable package versions. ```bash # Single version constraint "package/name": "<1.5" # Blocks all versions below 1.5 # Multiple ranges with OR logic "package/name": "<2.0|>=3,<3.5" # Blocks <2.0 OR (>=3 AND <3.5) # Complex multi-range constraints "package/name": ">=1,<1.9.2|>=2,<2.4.5" # Blocks multiple vulnerable ranges # Exact version block "package/name": "==1.2.3" # Blocks exactly version 1.2.3 # Open-ended blocks "package/name": ">=0" # Blocks ALL versions (complete ban) ``` -------------------------------- ### CI/CD Security Check Workflow (GitHub Actions) Source: https://context7.com/roave/securityadvisories/llms.txt Example GitHub Actions workflow (.github/workflows/security.yml) to integrate Composer security checks into a CI/CD pipeline. ```yaml # .github/workflows/security.yml name: Security Check on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Setup PHP uses: shivammathur/setup-php@v2 with: php-version: '8.2' - name: Install dependencies run: composer install --prefer-dist --no-progress - name: Check for security vulnerabilities run: composer update --dry-run roave/security-advisories ``` -------------------------------- ### Pre-commit Hook for Roave Security Advisories Check (Bash) Source: https://context7.com/roave/securityadvisories/llms.txt This bash script acts as a pre-commit hook to automatically check for vulnerable dependencies using the 'roave/security-advisories' package. It runs 'composer update --dry-run' and exits with an error if conflicts indicating vulnerabilities are found. It requires composer to be installed and the 'roave/security-advisories' package to be present in the project's dev dependencies. ```bash echo "Running security check..." composer update --dry-run roave/security-advisories 2>&1 | grep -q "conflict" if [ $? -eq 0 ]; then echo "❌ Security check failed! Vulnerable dependencies detected." echo "Run: composer update --dry-run roave/security-advisories" exit 1 fi echo "✅ Security check passed" exit 0 ``` -------------------------------- ### Manual Security Check with Composer Source: https://context7.com/roave/securityadvisories/llms.txt Performs a dry-run update using Composer to check for vulnerabilities in current dependencies without modifying the composer.lock file. ```bash # Dry-run update to check for vulnerabilities in current dependencies composer update --dry-run roave/security-advisories ``` -------------------------------- ### Composer Commands and Security Check Enforcement Source: https://context7.com/roave/securityadvisories/llms.txt Explains when Composer commands trigger security checks enforced by Roave Security Advisories, and when they are bypassed. ```bash # CHECKED: During development when adding new packages composer require some/package # CHECKED: During dependency updates composer update # CHECKED: In CI/CD during fresh installs composer install --no-dev --optimize-autoloader # NOT CHECKED: Production deployment with existing composer.lock # The lock file bypasses conflict resolution, so vulnerable packages # already locked will be installed without checks composer install --no-dev --no-scripts ``` -------------------------------- ### Roave Security Advisories Conflict Declaration Source: https://context7.com/roave/securityadvisories/llms.txt Illustrates the 'conflict' declaration in composer.json used by Roave Security Advisories to specify vulnerable package versions. ```json { "name": "roave/security-advisories", "type": "metapackage", "conflict": { "symfony/symfony": "<5.4.50|>=6,<6.4.29|>=7,<7.3.7", "laravel/framework": "<10.48.29|>=11,<11.44.1|>=12,<12.1.1", "drupal/core": ">=6,<6.38|>=7,<7.102|>=8,<10.4.9", "phpmailer/phpmailer": "<6.5" } } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.