Composer-cve-gate – pre-install gate for Composer, built after Laravel-Lang
Composer-cve-gate is a pre-install gate designed to enhance security for Composer by blocking potentially vulnerable packages before installation. It checks packages against multiple vulnerability signals, ensuring that malicious code does not run on the user's machine. This tool is particularly useful in preventing issues that can arise from Composer's post-install scripts, which can execute arbitrary code immediately after download.
- ▪Composer-cve-gate blocks installations of vulnerable packages before any code is executed.
- ▪It checks against various vulnerability databases including OSV.dev, GitHub Advisory Database, and NIST NVD.
- ▪The tool includes a freshness hold that prevents the installation of packages published less than 72 hours ago.
Opening excerpt (first ~120 words) tap to expand
composer-cve-gate Pre-install / pre-upgrade CVE gate for Composer. Blocks before post-install scripts run. Most of the time composer require is fine. Sometimes it isn't — and when it isn't, the damage is usually done by the time composer audit flags it, because audit runs after post-install scripts. composer-cve-gate adds two subcommands that resolve the full transitive tree, check every package against multiple vulnerability signals, and block the install before any code touches your machine. What it checks OSV.dev — Google's aggregated vulnerability feed, native Packagist coverage. GitHub Advisory Database — composer ecosystem, version-range filtered. NIST NVD — keyword + CPE-version match for upstream CVEs. Packagist freshness hold — packages published less than 3 days ago are held.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.