Open-source vulnerabilities checker

Edit on GitHub

Open-source vulnerabilities checker is a tool that checks if your PHP application depends on PHP packages with known security vulnerabilities.

Problem description

A project can sometimes use dependencies that contain known vulnerabilities. To minimize the security risk for the project, such dependencies should be updated to the version that has the vulnerability fixed.

Example of an evaluator error message


Message: Improper header validation (CVE-2023-29197):
Target:  guzzlehttp/psr7:2.4.1

Example of code that causes an evaluator error

Your composer.lock file contains package versions that have security issues:

    "name": "guzzlehttp/psr7",
    "version": "2.4.1",
    "source": {
        "type": "git",
        "url": "",

Resolve the error

To resolve the error:

  1. Upgrade the package to a version where the vulnerability issue is fixed.

Run only this checker

To run only this checker, include OPEN_SOURCE_VULNERABILITIES_CHECKER into the checkers list. Example:

vendor/bin/evaluator evaluate --checkers=OPEN_SOURCE_VULNERABILITIES_CHECKER