composer dependency with wildcard version
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A composer.json require/require-dev entry is constrained to "*", accepting any published version including breaking major releases.
Why it matters
A composer.json require/require-dev entry constrained to "*" accepts any published version, including an untested major release, with no review window between publish and install. Composer's own guidance is to always constrain to at least a major/minor range.
How to fix it
Replace the "*" constraint with a caret-style range anchored to the version you have tested (e.g. "^2.9") or an exact version if you need tighter control. Re-run composer update for just that package and confirm the resolved version matches your expectation.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo