PHP developers everywhere can rejoice as GitHub adds the long-awaited dependency graphs feature for PHP repositories that use Composer. The feature provides security alerts, shows dependency insights, and displays the dependents of a given repository. If enabled, it can also automatically send security fixes to the repository via pull requests.
Composer is the de facto standard for PHP dependency management. Core WordPress first added Composer support for development environments in version 5.1. While it’s not a part of the release package, this was some small victory after a years-long discussion of adding a basic
composer.json file to core. Core hasn’t fully embraced Composer or any type of PHP dependency management, but plugin and theme authors are using it more than a few short years ago. The new alerts and automatic pull requests will offer one more avenue for catching security issues with plugins and themes.
GitHub seems to be rolling this feature out in waves. After checking some repositories with dependency graphs enabled, some still do not have their PHP dependencies listed. It may take some time, but developers should start seeing dependencies appear that are listed in their
Public repositories should begin seeing automatic security alerts when an issue is found. GitHub will start notifying repository owners of these alerts via web notifications or email, depending on what the account holder has set as their preference. Developers with private repos or who have disabled dependency graphs will need to enable them to take advantage of the new feature.
Security alerts on old repositories could become an annoyance. GitHub recommends archiving those repos. “Archived repositories send a signal to the rest of the community that they aren’t maintained and don’t receive security alerts,” explained Hutchings.
Developers who have opted into GitHub’s automatic security fixes beta feature can now enjoy automatic pull requests (PRs) from GitHub when vulnerabilities are found. GitHub creates a PR with the minimum possible secure version. The developer can then merge the PR at their discretion.
Dependency graphs also make for a much nicer experience when browsing a repository’s dependencies. Previously, developers would need to dive into a project’s
composer.json or view them from Packagist, the official package directory for Composer. Developers can now click on a link to view a dependent repository.
Rolling this feature out for PHP repos is a welcome addition and should help more projects keep their code secure.