Up-to-Date Dependencies Analyzer

Analyzer ID	Category	Severity	Time To Fix
up-to-date-dependencies	🛡️ Security	Medium	60 minutes

What This Checks

• Runs composer install --dry-run to detect pending updates within your declared version constraints.
• Warns when composer.lock is missing so you don’t lose reproducible builds.
• Differentiates between production-only updates and dev-only updates for precise severity and recommendation messaging.
• Surfaces actionable metadata (scope, command used) so you know exactly what to run next.

Why It Matters

• Security patches land in point releases: if you never run composer update, you miss CVE fixes even when they’re compatible with your constraints.
• Reproducible builds: keeping lock files fresh prevents “works on my machine” bugs and deployment drift.
• CI hygiene: dev dependencies (linters, test frameworks) still impact your ability to catch regressions early.
• Compliance and audits: many review checklists require proving dependencies stay within a supported version window.

How to Fix

Quick Fix (15 minutes)

1. Update production dependencies only:

composer update --no-dev

2. For a full refresh (prod + dev):

composer update

3. Commit the updated composer.lock so teammates and CI run with the same versions.

Proper Fix (60 minutes)

1. Schedule regular updates: add a weekly/biweekly task (or CI pipeline) that runs composer update and opens a PR with the diff.
2. Review the changelog: before merging, skim release notes for breaking changes or manual migration steps.
3. Pin risky packages: if a dependency frequently ships breaking patches, constrain it more tightly (e.g., ^2.4.3).
4. Combine with security scanning: run composer audit or a SaaS scanner (like ShieldCI’s own vulnerable dependency analyzer) immediately after updating.
5. Automate notifications: if this analyzer reports failures, wire it into Slack/Email so the team can act quickly.

ShieldCI Configuration

This analyzer is automatically skipped in live serverless runtimes.

Why skip in live serverless runtimes?

• Composer is not installed in deployed Lambda containers - the dry-run exits immediately with an error
• Packages are frozen at build time and cannot be updated at runtime
• Running the check there would always fail and produce a false positive

When to run this analyzer:

• ✅ Standard environments: Runs normally and reports any pending updates within your declared constraints
• ✅ Laravel Vapor / Laravel Cloud (local dev or CI): Runs with --ignore-platform-reqs - your machine and the deployment target differ in OS and PHP extensions, so platform-specific packages are excluded from the diff to prevent false positives
• ❌ Live serverless runtimes (Vapor Lambda, Cloud Functions, Azure Functions): Skipped automatically

References

• Composer install vs update
• Composer version constraints
• Composer audit command

Related Analyzers

• Stable Dependencies Analyzer - ensures you stick to stable tagged releases.
• Frontend Vulnerable Dependencies Analyzer - keeps npm/yarn packages patched.
• Vulnerable Dependencies Analyzer - scans composer.lock for known CVEs.