I've written before about exercising restraint when adding packages to your project. Each new dependency is something to review and maintain.
That being said, we take security seriously in our applications, so one package we've always installed is roave/security-advisories.
It prevents you from updating to a package version with a known vulnerability.
With the recent release of Composer 2.9, this same functionality is now built right into the package manager.
It builds on the existing work already used by the composer audit command.
Just like the Roave package, by default Composer now blocks installation of vulnerable packages when running composer update or composer require.
It doesn't block on composer install since that could break CI pipelines or deployments when a new vulnerability is reported.
If you really want that behavior, you can opt into it, but I don't plan on doing that.
From reading the PR notes, it also seems like the built-in Composer functionality monitors more vulnerability databases for its reporting. I haven't dug deep into the code for both to compare, but more coverage is always a nice improvement.
This is one of my favorite things about the PHP and Laravel ecosystems. When a tool you already rely on absorbs functionality you were getting from a separate package, you get to simplify.
One less thing to update, one less thing to worry about.
Here to help,
Joel
P.S. Security matters at every layer of your app. Grab a free copy of our security book.
Slack