—

Why it Matters

Composer has a built-in composer audit command that checks installed packages against a database of known vulnerabilities. If this command reports issues, it means your Magento store is running dependencies with publicly disclosed CVEs.

Keeping composer audit clean ensures your extension stack does not contain packages with known security flaws. This is a fast, automated check that should be part of every CI/CD pipeline.

Verification Steps

# Run Composer audit
composer audit

# Expected: "No security vulnerability advisories found"

# Ensure audit is run against composer.lock
# Not just composer.json

Remediation / Fix Guidance

1. Run composer audit regularly (daily in CI/CD).
2. If vulnerabilities are found:
   • Upgrade the affected package to the patched version.
   • If upgrade is blocked, adjust constraints (see MB-R056).
   • Apply temporary mitigations if no patch exists (see MB-R053).
3. After remediation, rerun composer audit to confirm clean state.
4. Document vulnerabilities found and fixes applied for audit trail.

Examples

$ composer audit
+-----------------+------------------+------------------+
| Package         | Affected Version | Advisory         |
+-----------------+------------------+------------------+
| symfony/http    | <4.4.50         | CVE-2024-12345   |
+-----------------+------------------+------------------+
# FAIL: Vulnerability present

$ composer audit
No security vulnerability advisories found
# PASS: Audit clean

References

• OWASP Top 10 — A06: Vulnerable and Outdated Components
• Composer CLI — Audit Command