Magebean Logo Magebean
← Back to Baseline

MB-R066No dev branches

C11 Composer Dependency Hygiene High

Depending on the development branches (dev-branch) pulls unstable, unreviewed code into production. Such code may contain incomplete features or insecure implementations. Production environments must rely only on tagged, stable releases that receive security patches and long-term maintenance.

Why it Matters

Composer allows installing dependencies from dev-branch references (e.g., dev-master, dev-develop). These are unstable, not tagged for release, and may include incomplete features or insecure debugging code. Depending on dev branches in production removes version stability and exposes the store to unexpected breakage or vulnerabilities.

Production should only use tagged, stable releases. This ensures predictable behavior, reproducible builds, and access to properly reviewed security fixes.

Verification Steps

Composer manifest check

# Search for dev branches in composer.json
grep -E "dev-" composer.json

# Example of risky constraints:
"vendor/extension": "dev-master"
"vendor/extension": "dev-develop"

Lockfile review

# Inspect composer.lock for dev references
grep -E "\"dev-" composer.lock

Remediation / Fix Guidance

  1. Replace dev branch references with stable tagged versions: 
    # Bad
"vendor/extension": "dev-master"

# Good
"vendor/extension": "^2.4.5"
  2. If the vendor has no stable release:
    • Request a tagged release from the vendor.
    • If unavoidable, fork internally, tag a version, and use it as a private package.
  3. Automate dependency scanning to block dev-branch constraints in CI/CD pipelines.

Examples

Fail Example
# composer.json
"require": {
  "vendor/module": "dev-master"
}
# Risky: pulling unstable branch code → FAIL
Pass Example
# composer.json
"require": {
  "vendor/module": "^2.4.5"
}
# Stable tagged release only → PASS

References