package still relevant after composer audit ?

[Jimbolino]

I recently noticed all my composer update started to give a message: No security vulnerability advisories found

After reading some documentation about it: https://php.watch/articles/composer-audit

packagist.org, the main source of package metadata of Composer, now has a new API that returns a list of reported security vulnerabilities for a given list of package names. Packagist routinely fetches the vulnerability information from Github Security Advisories and FriendsOfPHP/security-advisories repository.

Since this repo also uses the same FriendsOfPHP/security-advisories source, is it still really relevant ?

[Ocramius]

To some extent: this package will implicitly aid composer update in picking secure dependency ranges.

As for composer require --dry-run roave/security-advisories, I'd say that composer audit gives you much better ergonomics.

[Ocramius]

Note: regardless of what the community will pick, this package will stay maintained long-term.