Composer must be configured with prefer-stable=true to ensure stable packages are selected over unstable ones. Without this, unstable libraries may be chosen during dependency resolution. Enforcing stable preference reduces exposure to untested, insecure builds.
Composer allows setting a global stability level (e.g., minimum-stability in composer.json).
If the default is too loose (such as dev), unstable or untested packages may be installed
in production. This increases the risk of regressions, insecure code, and compatibility issues.
Ensuring that minimum-stability is set to stable (the default) protects the store
from unintentionally pulling in beta or dev versions, and enforces safer dependency management.
# Inspect stability setting
cat composer.json | grep minimum-stability
# Expected:
"minimum-stability": "stable"
# or field absent (defaults to stable)# List installed packages and versions
composer show
# Ensure no dev/beta/RC versions are installed unless explicitly requiredcomposer.json has "minimum-stability": "stable" or omits the field entirely.require with @dev
and restrict them to development environments only.composer.lock to confirm only stable versions are installed in production.minimum-stability set to dev.# composer.json
"minimum-stability": "dev"
# Allows unstable packages in production → FAIL# composer.json
"minimum-stability": "stable"
# or no field defined (defaults to stable) → PASS