June 9th, 2015
Stefan Priebsch made some very interesting points in his IPC talk about dependencies. Someone in the audience asked how often should we update our dependencies. Stefan recommends not to touch dependencies if everything is working and only monitor for security updates. However, monitoring security updates for a big dependency tree would be tedious.
Here comes my idea for Composer: package developers can mark release as "security" and then Composer can implement a check-security command. This way, developers can periodically (or even automatically) check for security patches to any dependencies, decide if they affect them and whether they would like to update that dependency.
I think that it would be of great benefit for the PHP ecosystem.
Speaking with Hans-Christian Otto, we came up with an idea that would not entirely rely on package maintainers. The package maintainers could mark versions as security patches, then we can sync that info into the security-advisories, to complement the efforts of the contributors. It might be easier for package maintainers to add a tag in their Composer file that to send pull requests.