What it does

composer outdated and composer audit show you facts: what's old, what's vulnerable, what's abandoned. They don't tell you what to do, or in what order. This skill does.

▹
Uses only the real tool output — never makes up a version or a CVE.
▹
Tags every direct package: 🔴 vulnerable · 🟠 abandoned · 🟡 big update · 🟢 safe update · ✅ fine.
▹
Finds a live replacement for dead packages — even when Composer just says "No replacement was suggested" — and tells you if it's drop-in or an API change.
▹
Picks the safest fix for a vulnerability: the lowest version that fixes it, drop-in if possible — so a CVE never forces a needless big upgrade.
▹
Checks PHP/Laravel compatibility before any big update, instead of suggesting it blindly.
▹
Rates the risk and tells you to dry-run and update one lane at a time, so nothing breaks silently.

Only advises. It reads files and runs read-only commands (composer outdated, audit, why), then hands you a plan. It never edits your composer.json, lockfile, or code — you run every command yourself.

Example output

A real run, shortened. The facts come from the tools; the plan and replacements are the skill's call — each one checked before it's shown.

dependency-triage — northwind/portal

## Summary
19 direct deps — 🔴 3 vulnerable  🟠 3 abandoned  🟡 9 major  🟢 3 safe

## 🔴 Security — Do now
phpseclib/phpseclib  2.0.30 → 2.0.54   7 advisories  drop-in within 2.x — NOT a 3.x migration
guzzlehttp/guzzle    7.4.0  → 7.4.5+   5 high CVEs   drop-in within major 7
laravel/framework    v9     → 10.x     CVE-2025-… no v9 fix → Laravel 9→10 upgrade

## 🟠 Abandoned — Do carefully
laravelcollective/html → spatie/laravel-html   (API change — audit your Blade forms)
fruitcake/laravel-cors → built-in Laravel CORS  (config change, ~drop-in)

## Action plan
✅ Do now        verified drop-in security patches + safe bumps
⚠️ Do carefully  swap abandoned packages; plan the Laravel upgrade
🛑 Defer         framework-coupled majors, sequenced into the upgrade

The three lanes

✅ Do now

Safe drop-in security fixes and small updates. Run the commands, run your tests.

⚠️ Do carefully

Dead-package swaps and big updates that need code changes. Read the upgrade guide first; do one at a time.

🛑 Defer

Risky big updates that wait on a Laravel/PHP upgrade. Handle in a separate pass.

Requirements

Requirement	Why
A PHP project with a `composer.json`	the entry point; without it the skill stops
`composer` on your PATH	runs `composer outdated` / `audit` / `why`
Composer 2.4+	needed for `composer audit` (vulnerability data)
A populated `composer.lock` (recommended)	exact installed versions

Tuned for Laravel, but works on any Composer-managed PHP project.

Install & use

No marketplace or full library needed — drop this one folder into your project's .claude/skills/:

your Laravel project

# grab just this skill (per-project)
npx degit ArtemProshkovskiy/laravel-maintenance-skills/skills/composer-dependency-triage \
  .claude/skills/composer-dependency-triage

Use ~/.claude/skills/ instead to install it globally (every project). No npx? Clone the repo and copy the skills/composer-dependency-triage folder into .claude/skills/. Want every skill at once? Add the plugin marketplace (optional).

Open Claude Code in your project

Start it inside the folder that has composer.json.

Ask in plain language

"audit my composer dependencies", "are any of my packages abandoned?", "check my dependencies before upgrading Laravel" — the skill activates automatically.

Read it, then run

You get a plan with exact commands. Nothing is changed for you — run each on a branch, with tests.

Boundaries

does not modify composer.json, composer.lock, or any code;
does not run composer require/update/remove — you run those;
does not invent versions or CVEs — only what the real tools returned;
does not tell you to update a transitive dependency directly — it explains the chain via composer why and points you at the direct parent;
does not recommend a major your PHP/Laravel can't satisfy — it marks it "blocked on upgrade".

It is not a security scanner: the vulnerability facts come from composer audit (the PHP Security Advisories database), not its own CVE list. A clean audit means "nothing found", not "guaranteed safe".

Full usage guide ↗ Example report ↗ SKILL.md source ↗ ← Back to library