Keep your Laravel dependencies up to date

In the world of PHP and Laravel, keeping your dependencies up to date is crucial for security, performance, and compatibility. Fortunately, composer provides powerful tools to help you manage package updates.

# Checking outdated packages - composer outdated

If you don’t want to update everything at once, you can first check which packages are outdated:

composer outdated

This command displays a list of outdated packages in a structured table, highlighting:

• Patch and minor updates (e.g., 10.2.1 → 10.2.5) – marked in yellow
• Major updates (e.g., 10.x → 11.x) – marked in red

Additionally, Composer distinguishes between:

• Direct dependencies - packages explicitly declared in your composer.json
• Transitive dependencies - packages required by other libraries but not listed directly in your composer.json

To see only outdated packages that you have explicitly installed, run:

composer outdated --direct

# Security Audit - composer audit

Beyond just updating, you should also check for known security vulnerabilities:

composer audit

This command scans your dependencies against a database of known vulnerabilities and informs you if any packages need urgent updates due to security risks.

# Updating Dependencies - composer update

The simplest way to update all dependencies/packages in Laravel project is:

composer update

This command updates all packages according to the constraints defined in your composer.json . For example, if your file contains:

"laravel/framework": "^10.0"

Composer will update Laravel to the latest 10.x version but will not upgrade to 11.x.

# Updating a specific package

If you only want to update a single package in Laravel project instead of all dependencies, use:

composer update vendor/package-name

For example, to update only Laravel’s HTTP client:

composer update laravel/framework

If you want to update a package along with its dependencies, use the --with-dependencies flag:

composer update vendor/package-name --with-dependencies

You can also allow major version upgrades by modifying composer.json and then running:

composer require vendor/package-name:^NEW_VERSION

For example, upgrading guzzlehttp/guzzle to version 8:

composer require guzzlehttp/guzzle:^8.0

# Final thoughts

Regularly updating your dependencies helps keep your Laravel project secure and up to date. Even if you can’t upgrade to the latest Laravel version immediately, monitoring outdated and vulnerable dependencies should be a routine practice.