Coverage composer

Composer `packagist.org`

PHP. composer.json scripts run shell during install; PHP source carries the eval/exec primitives. Detection gates on combos: base64/gz/hex decode + eval/exec, remote include/require, deprecated assert(string) backdoor, and remote-fetch-with-exec chains.

Packages scanned

4,408

High risk

148

Review

987

High-severity findings

404

Last scan

39m ago

Install-time attack surface

scripts.{pre,post}-{install,update}-cmd in composer.json — run as shell commands during `composer install`

Supported lockfile formats

composer.lock

Spec format

pkgradar gate --ecosystem composer symfony/[email protected]

Recent activity

The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for Composer is on the roadmap — the stats above are filtered to this ecosystem in the meantime.

Other ecosystems