Composer Blocking Vulnerable Packages on Install

February 20, 2026 • 3 min read

Starting with Composer 2.9, running composer install or composer update will automatically fail if any of your dependencies have known security vulnerabilities. No extra setup needed - it’s on by default.

If you want to check your current packages without installing anything, just run:

composer audit

Configuring It in composer.json

You can control this behavior directly in your composer.json:

{
    "config": {
        "audit": {
            "block-insecure": true,
            "block-abandoned": true,
            "ignore": [
                "PKSA-xxxx-xxxx-xxxx",
                "CVE-2024-XXXXX"
            ]
        }
    }
}

block-insecure - blocks packages with known vulnerabilities (default: true)
block-abandoned - blocks packages marked as abandoned on Packagist (default: false)
ignore - list of advisory or CVE IDs to ignore if the vulnerability doesn’t affect you

CLI Options

If you don’t want to touch composer.json, you can use the command line:

# Disable blocking entirely (back to warnings only)
composer config audit.block-insecure false

# Ignore specific advisories
composer config audit.ignore --json '["PKSA-xxxx-xxxx-xxxx", "CVE-2024-XXXXX"]'

# Skip blocking just for one command
composer update --no-security-blocking

# Block abandoned packages
composer config audit.block-abandoned true

That’s it. For most projects, you won’t need to change anything - just let Composer do its job.

Composer Blocking Vulnerable Packages on Install

Configuring It in composer.json #

CLI Options #

Configuring It in composer.json

CLI Options