{ "slug": "dependency_audit", "term": "Dependency Audit & CVE Scanning", "category": "general", "difficulty": "intermediate", "short": "Automated scanning of project dependencies for known vulnerabilities (CVEs) — composer audit, npm audit, and tools like Snyk run in CI to catch vulnerable packages before deployment.", "long": "Every dependency is potential attack surface. CVE databases (National Vulnerability Database, GitHub Advisory Database) track known vulnerabilities with severity scores. Tools: composer audit (built-in, checks against GitHub Advisory), npm audit, Snyk, Dependabot (GitHub). Best practice: run in CI on every PR, fail the build on high-severity CVEs, automate dependency updates (Dependabot, Renovate). PHP-specific: track phpstan/phpstan, laravel/framework, symfony/* for security releases. Sign up to security mailing lists for frameworks you use.", "aliases": [ "CVE scanning", "vulnerability audit", "composer audit", "Dependabot" ], "tags": [ "general", "security", "devops", "supply-chain" ], "misconception": "Auditing dependencies once at project start is sufficient — new CVEs are disclosed daily; dependencies must be audited continuously, ideally on every commit.", "why_it_matters": "The Log4Shell vulnerability affected thousands of applications using a transitive dependency most developers didn't even know they had — automated auditing catches these before attackers do.", "common_mistakes": [ "No audit step in CI — vulnerabilities are only caught when someone manually checks.", "Ignoring moderate CVEs — many critical exploits start as moderate severity findings.", "Not updating after audit — knowing about a vulnerability without fixing it provides no protection.", "Only auditing direct dependencies — transitive dependencies (dependencies of dependencies) are equally dangerous." ], "when_to_use": [], "avoid_when": [], "related": [ "typosquatting_packages", "dependency_confusion_attack", "open_source_risk", "github_actions_php" ], "prerequisites": [ "dependency_management", "supply_chain_attack", "open_source_risk" ], "refs": [ "https://getcomposer.org/doc/03-cli.md#audit" ], "bad_code": "# No audit in CI — vulnerable packages silently deployed:\n# .github/workflows/ci.yml:\nsteps:\n - run: composer install\n - run: vendor/bin/phpunit\n # No audit step\n # symfony/http-kernel with known RCE deployed to production", "good_code": "# Audit in CI — blocks deployment on high CVEs:\nsteps:\n - run: composer install\n - run: composer audit --no-dev # Fail on any vulnerability\n - run: vendor/bin/phpunit\n\n# .github/dependabot.yml:\nversion: 2\nupdates:\n - package-ecosystem: composer\n directory: /\n schedule:\n interval: weekly\n open-pull-requests-limit: 10", "quick_fix": "Run 'composer audit' in CI; fail the build on any critical or high severity CVE in a direct dependency", "severity": "high", "effort": "low", "created": "2026-03-16", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/dependency_audit", "html_url": "https://codeclaritylab.com/glossary/dependency_audit", "json_url": "https://codeclaritylab.com/glossary/dependency_audit.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Dependency Audit & CVE Scanning](https://codeclaritylab.com/glossary/dependency_audit) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dependency_audit" } } } }