Detect unused composer dependencies

May 13, 2020 by Thibault Debatty | 4703 views

PHP Secure Software Development

If you are using composer to manage the dependencies of your PHP project (and you certainly should), it is very easy to end up using a lot of dependencies. And if your project lives long enough, some (or lots of them) will not be used anymore.

Keeping these unused dependencies has drawbacks:

  1. They may contain vulnerabilities that could lead to a complete hack of your application. A famous example is the CVE-2017-9841 vulnerability affecting Phpunit. This flaw allowed an attacker to execute code on any web application that used the affected versions of Phpunit.
  2. They may cause incompatibilities with other libraries. For example, you may not be able to install an interesting library because of an incompatibility with an old unused library.
  3. Or, in some other cases, you may not be able to update other libraries because the latest versions are not compatible with an old unused library. These updates are important. In some case they fix vulnerabilities that have been discovered.

Luckily, there is an easy solution to detect these unused dependencies: Insolita unused-scanner


composer require --dev insolita/unused-scanner


You will first have to create a configuration file. You can name it unused-scanner.php for example. Here is a typical example:


$projectPath = __DIR__;

// Declare directories which contains php code
$scanDirectories = [
    $projectPath . '/app/',

// Optionally declare standalone files
$scanFiles = [

return [
    'composerJsonPath' => $projectPath . '/composer.json',
    'vendorPath' => $projectPath . '/vendor/',
    'scanDirectories' => $scanDirectories,
    'scanFiles' => $scanFiles,

    // whitelisted packages
    'skipPackages' => ['laravel/tinker', 'guzzlehttp/guzzle'],

The, you can run the scanner:

vendor/bin/unused_scanner unused-scanner.php


If unused dependencies have been detected, you can either:

  • remove them with composer remove cylab/system
  • move them to the require-dev section of your composer.json file, if these dependencies are only used for development


Finally, don't forget to add this test to your gitlab-ci.yml:

  image: cylab/php72
    - COMPOSER_CACHE_DIR=composer-cache composer install
    - vendor/bin/unused_scanner unused-scanner.php

This blog post is licensed under CC BY-SA 4.0

Fully customizable emails using Laravel 9
With the release of Laravel 9, the Swift Mailer (that is no longer maintained) has been replaced by the Symfony Mailer. You can already find some useful information about this change along all the other ones in the Upgrade Guide from Laravel 8.x to 9.0. However this guide does not contain enough information if you want to send fully customized emails. This blog post proposes you a solution coming directly from the Symfony documentation!
SQL injection with SQLMap
Code injection is one of the most critical web application vulnerabilities. Indeed, the consequences of code injection can be dramatic (impact). Moreover, still today a lot of web applications are vulnerable to code injection (frequency). Finally, some tools like SQLMap allow to automatically detect and use these vulnerabilities (exploitation). For this reason, the vulnerability is listed in the top 10 published by the Open Web Application Security Project (OWASP) [1]. In this blog post, we will present one type of code injection, called SQL injection, and we will show how to perform a SQL injection attack with SQLMap.
Filter USB devices with udev (and some PHP code)
USB devices can be a liability : they can be used to exfiltrate data from a computer or server, to plug a hardware keylogger, or to plant a malware. Hence on a managed computer, USB devices should be filtered and whitelisted. In this blog post we show how this can be achieved thanks to udev, and some PHP code.