Packagist · Schema

Packagist Security Advisory

A security advisory for a Composer package as published by the Packagist security advisory database (FriendsOfPHP / GitHub Advisory Database sources).

ComposerPHPPackage RegistryDependency ManagementOpen SourceDeveloper ToolsSoftware Supply ChainSecurity Advisories

Properties

Name Type Description
advisoryId string Stable Packagist advisory identifier.
packageName string Affected package in vendor/package form.
remoteId string Upstream advisory identifier (e.g., GHSA id).
title string
link string
cve string CVE identifier, if assigned.
affectedVersions string Composer-style version constraint describing the affected range.
source string Upstream source feed (e.g., FriendsOfPHP, GitHub).
reportedAt string
composerRepository string Composer repository the advisory applies to.
severity string
View JSON Schema on GitHub

JSON Schema

packagist-security-advisory-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/packagist/main/json-schema/packagist-security-advisory-schema.json",
  "title": "Packagist Security Advisory",
  "description": "A security advisory for a Composer package as published by the Packagist security advisory database (FriendsOfPHP / GitHub Advisory Database sources).",
  "type": "object",
  "required": ["advisoryId", "packageName", "title", "affectedVersions"],
  "properties": {
    "advisoryId": {
      "type": "string",
      "description": "Stable Packagist advisory identifier."
    },
    "packageName": {
      "type": "string",
      "description": "Affected package in vendor/package form."
    },
    "remoteId": {
      "type": "string",
      "description": "Upstream advisory identifier (e.g., GHSA id)."
    },
    "title": { "type": "string" },
    "link": { "type": "string", "format": "uri" },
    "cve": {
      "type": "string",
      "description": "CVE identifier, if assigned.",
      "pattern": "^CVE-\\d{4}-\\d{4,}$"
    },
    "affectedVersions": {
      "type": "string",
      "description": "Composer-style version constraint describing the affected range."
    },
    "source": {
      "type": "string",
      "description": "Upstream source feed (e.g., FriendsOfPHP, GitHub).",
      "enum": ["FriendsOfPHP/security-advisories", "GitHub", "PSA", "Packagist"]
    },
    "reportedAt": { "type": "string", "format": "date-time" },
    "composerRepository": {
      "type": "string",
      "description": "Composer repository the advisory applies to."
    },
    "severity": {
      "type": "string",
      "enum": ["low", "medium", "high", "critical", "unknown"]
    }
  }
}