—

Why it Matters

Composer allows installing dependencies from dev-branch references (e.g., dev-master, dev-develop). These are unstable, not tagged for release, and may include incomplete features or insecure debugging code. Depending on dev branches in production removes version stability and exposes the store to unexpected breakage or vulnerabilities.

Production should only use tagged, stable releases. This ensures predictable behavior, reproducible builds, and access to properly reviewed security fixes.

Verification Steps

Composer manifest check

# Search for dev branches in composer.json
grep -E "dev-" composer.json

# Example of risky constraints:
"vendor/extension": "dev-master"
"vendor/extension": "dev-develop"

Lockfile review

# Inspect composer.lock for dev references
grep -E "\"dev-" composer.lock

Remediation / Fix Guidance

Replace dev branch references with stable tagged versions:

# Bad
"vendor/extension": "dev-master"

# Good
"vendor/extension": "^2.4.5"

If the vendor has no stable release:
- Request a tagged release from the vendor.
- If unavoidable, fork internally, tag a version, and use it as a private package.
Automate dependency scanning to block dev-branch constraints in CI/CD pipelines.

Examples

Fail Example

# composer.json
"require": {
  "vendor/module": "dev-master"
}
# Risky: pulling unstable branch code → FAIL

Pass Example

# composer.json
"require": {
  "vendor/module": "^2.4.5"
}
# Stable tagged release only → PASS