CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Dependency Audit & CVE Scanning

General PHP 5.0+ Intermediate
debt(d3/e3/b3/t5)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3). The term's detection_hints lists composer-audit, snyk, dependabot, and roave/security-advisories — all are readily available automated tools that catch missing audit steps or known CVEs. These integrate easily into CI and flag vulnerabilities without specialist configuration, though they require explicit setup rather than being compiler-level.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is 'Run composer audit in CI; fail the build on any critical or high severity CVE' — this is a small CI configuration change. However, actually remediating found CVEs may require updating dependencies, which can touch multiple files if breaking changes exist, hence e3 rather than e1.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Dependency auditing applies broadly (web/api/cli contexts per applies_to) but the practice itself is a CI/DevOps concern that doesn't impose structural weight on application code. Once configured, it runs automatically. The burden is ongoing maintenance of dependency updates, but this is localized to the dependency management layer, not cross-cutting through business logic.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception explicitly states developers believe 'auditing once at project start is sufficient' when CVEs are disclosed daily. The common_mistakes reinforce this: only auditing direct dependencies (missing transitive ones), ignoring moderate CVEs, and not updating after audit. These are documented gotchas that experienced developers eventually learn, but trip up many initially.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-07 · reviewed by human

Also Known As

CVE scanning vulnerability audit composer audit Dependabot

TL;DR

Automated scanning of project dependencies for known vulnerabilities (CVEs) — composer audit, npm audit, and tools like Snyk run in CI to catch vulnerable packages before deployment.

Explanation

Every dependency is potential attack surface. CVE databases (National Vulnerability Database, GitHub Advisory Database) track known vulnerabilities with severity scores. Tools: composer audit (built-in, checks against GitHub Advisory), npm audit, Snyk, Dependabot (GitHub). Best practice: run in CI on every PR, fail the build on high-severity CVEs, automate dependency updates (Dependabot, Renovate). PHP-specific: track phpstan/phpstan, laravel/framework, symfony/* for security releases. Sign up to security mailing lists for frameworks you use.

Common Misconception

Auditing dependencies once at project start is sufficient — new CVEs are disclosed daily; dependencies must be audited continuously, ideally on every commit.

Why It Matters

The Log4Shell vulnerability affected thousands of applications using a transitive dependency most developers didn't even know they had — automated auditing catches these before attackers do.

Common Mistakes

  • No audit step in CI — vulnerabilities are only caught when someone manually checks.
  • Ignoring moderate CVEs — many critical exploits start as moderate severity findings.
  • Not updating after audit — knowing about a vulnerability without fixing it provides no protection.
  • Only auditing direct dependencies — transitive dependencies (dependencies of dependencies) are equally dangerous.

Code Examples

✗ Vulnerable 
# No audit in CI — vulnerable packages silently deployed:
# .github/workflows/ci.yml:
steps:
  - run: composer install
  - run: vendor/bin/phpunit
  # No audit step
  # symfony/http-kernel with known RCE deployed to production
✓ Fixed 
# Audit in CI — blocks deployment on high CVEs:
steps:
  - run: composer install
  - run: composer audit --no-dev  # Fail on any vulnerability
  - run: vendor/bin/phpunit

# .github/dependabot.yml:
version: 2
updates:
  - package-ecosystem: composer
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 10
Added 16 Mar 2026
Edited 22 Mar 2026
Views 54

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 2 pings W 0 pings T 2 pings F 1 ping S 3 pings S 4 pings M 0 pings T 4 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Scrapy 12 Amazonbot 7 Perplexity 5 Ahrefs 4 SEMrush 4 Unknown AI 3 Google 2 Claude 2 Bing 2 ChatGPT 2 Meta AI 1 Majestic 1
Also referenced
GitHub Actions for PHP 57 Dependency Confusion Attack 44 Package Typosquatting 39 Open Source Dependency Risk 37
How they use it
crawler 41 crawler_json 3 pre-tracking 1
Related categories
security 7.9k general 3k devops 2.2k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Run 'composer audit' in CI; fail the build on any critical or high severity CVE in a direct dependency
📦 Applies To
PHP 5.0+ web api cli
🔗 Prerequisites
🔍 Detection Hints
No composer audit step in CI; outdated composer.lock with known CVEs
Auto-detectable: ✓ Yes composer-audit snyk dependabot roave/security-advisories
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1104 CWE-937
✓ schema.org compliant