—

Why it Matters

Composer allows setting a global stability level (e.g., minimum-stability in composer.json). If the default is too loose (such as dev), unstable or untested packages may be installed in production. This increases the risk of regressions, insecure code, and compatibility issues.

Ensuring that minimum-stability is set to stable (the default) protects the store from unintentionally pulling in beta or dev versions, and enforces safer dependency management.

Verification Steps

# Inspect stability setting
cat composer.json | grep minimum-stability

# Expected:
"minimum-stability": "stable"
# or field absent (defaults to stable)

# List installed packages and versions
composer show

# Ensure no dev/beta/RC versions are installed unless explicitly required

Remediation / Fix Guidance

1. Ensure composer.json has "minimum-stability": "stable" or omits the field entirely.
2. If specific dev/beta packages are required, add them explicitly under require with @dev and restrict them to development environments only.
3. Regularly audit composer.lock to confirm only stable versions are installed in production.
4. Automate checks in CI/CD to block deployments with minimum-stability set to dev.

Examples

# composer.json
"minimum-stability": "dev"
# Allows unstable packages in production → FAIL

# composer.json
"minimum-stability": "stable"
# or no field defined (defaults to stable) → PASS

References

• OWASP Top 10 — A06: Vulnerable and Outdated Components
• Composer Documentation — Minimum Stability