—

Why it Matters

Sometimes extension versions are “yanked” or withdrawn from Packagist/Composer because they were published with serious flaws — for example, critical bugs, accidental debug code, or known security vulnerabilities. These versions will not receive further support or updates, and in some cases are actively unsafe to run.

Stores that continue to use yanked or withdrawn versions risk exposure to exploits. Detecting and flagging these versions ensures that administrators upgrade to a maintained release before attackers take advantage of them.

Verification Steps

# Check installed versions
composer show vendor/extension

# Verify status on Packagist
composer show vendor/extension -a | grep versions

# Yanked versions appear with a "yanked" flag

# Run osv-scanner against lockfile
osv-scanner --lockfile=./composer.lock

# Yanked releases may also appear in vendor advisories

Remediation / Fix Guidance

1. Identify if any installed extension versions are marked as yanked or withdrawn.
2. Upgrade immediately to the nearest non-yanked version:

   composer require vendor/extension:^x.y.z

3. If no fixed release exists, remove the extension or replace it with a supported alternative.
4. Confirm composer.lock no longer references withdrawn versions after update.
5. Include yank-checks in CI/CD pipelines so withdrawn versions cannot be deployed by mistake.

Examples

$ composer show vendor/module -a
versions : * 2.1.3 (yanked), 2.1.2, 2.1.1
# Store is running 2.1.3 which has been yanked → FAIL

$ composer show vendor/module -a
versions : * 2.1.4, 2.1.2, 2.1.1
# Store upgraded to non-yanked version 2.1.4 → PASS

References

• OWASP Top 10 — A06: Vulnerable and Outdated Components
• Composer Documentation — Yanked Versions