joshdonnell/radar
Composer 安装命令:
composer require joshdonnell/radar
包简介
A lightweight dependency health dashboard for Laravel applications
关键字:
README 文档
README
Laravel Radar
Introduction
Laravel Radar is a lightweight dependency health dashboard and notifier for Laravel applications.
Radar scans Composer and NPM dependencies, stores a snapshot, and highlights:
- vulnerable packages
- outdated direct dependencies
- abandoned Composer packages
- practical, conservative next steps
Radar is intentionally read-only. It reports dependency health and suggests commands, but it does not update dependencies, edit lock files, commit changes, or deploy code for you.
Requirements
- PHP 8.3+
- Laravel 12 or 13
- Composer
- Node/NPM available when scanning JavaScript dependencies
Installation
Install Radar with Composer:
composer require joshdonnell/radar
Publish Radar's config file, migration, and dashboard assets:
php artisan radar:install
Run the migration:
php artisan migrate
Usage
Run a dependency scan:
php artisan radar:scan
Open the dashboard at:
/radar
The dashboard path can be changed with:
RADAR_PATH=internal/radar
Radar's dashboard is enabled outside production by default and disabled in production by default. Production applications can still run scans and send notifications. Only enable the dashboard in production when it is protected by trusted authentication and authorization.
RADAR_DASHBOARD_ENABLED=true
Commands
Radar currently ships these Artisan commands:
php artisan radar:scan php artisan radar:notify php artisan radar:clear
radar:scan
Scans application dependencies and stores a Radar snapshot.
php artisan radar:scan
Scan a different project path:
php artisan radar:scan --path=/path/to/app
Use CI mode in a pipeline after installing dependencies:
php artisan radar:scan --ci --severity=high
The --ci flag makes radar:scan return a failing status when vulnerabilities meet the configured severity threshold. Your CI provider does not need special handling. It only needs to run the command and respect the exit code.
Set --severity to low, medium, high, or critical. Radar returns 1 when a vulnerability is at or above that threshold, 0 when none are, and 2 when the CI options or scan path are invalid.
radar:notify
Sends deduplicated vulnerability notifications for the latest stored scan.
php artisan radar:notify
Run a fresh scan before notifying:
php artisan radar:notify --scan
Notifications are only sent when vulnerabilities exist and at least one notification route is configured.
radar:clear
Clears stored Radar scan history.
php artisan radar:clear
Skip the confirmation prompt:
php artisan radar:clear --force
Dashboard
The dashboard shows the latest stored scan, including:
- health score
- latest scan time
- Composer and NPM package inventory
- vulnerability findings
- outdated direct dependency findings
- abandoned Composer package findings
- suggested safe commands or review steps where Radar can infer them
Notifications
Radar uses Laravel Notifications. Your application still owns the normal mail and Slack transport configuration; Radar only stores the on-demand notification routes it should target.
Configure mail recipients:
RADAR_NOTIFICATION_MAIL_TO=security@example.com,dev@example.com
Configure Slack:
RADAR_NOTIFICATION_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
Send notifications manually:
php artisan radar:notify
Or scan first, then notify:
php artisan radar:notify --scan
Repeated notifications for the same vulnerability finding set are deduplicated for the configured TTL:
RADAR_NOTIFICATION_DEDUPE_TTL=86400
Scheduling
Radar preconfigures a nightly scheduled radar:notify --scan run at 02:00, so each notification run starts with a fresh scan.
Your application still needs Laravel's scheduler running in production, usually via a cron entry that runs php artisan schedule:run every minute.
Customize or disable Radar's built-in schedule:
RADAR_NOTIFICATION_SCHEDULE_ENABLED=true RADAR_NOTIFICATION_SCHEDULE_TIME=02:00 RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=Europe/London
Authorization
Radar checks the configured gate outside local environments before serving the dashboard.
Define the gate in your application, for example:
use Illuminate\Support\Facades\Gate; Gate::define('viewRadar', fn ($user = null): bool => $user?->is_admin === true);
If you publish the config, you can change the gate name by editing the authorization.gate value in config/radar.php.
Configuration
Publish the configuration file with:
php artisan vendor:publish --tag="radar-config"
Useful environment variables:
RADAR_ENABLED=true RADAR_PATH=radar RADAR_DASHBOARD_ENABLED=false RADAR_DB_CONNECTION=sqlite RADAR_PRUNE_DAYS=30 RADAR_COMMAND_TIMEOUT=60 RADAR_NOTIFICATION_MAIL_TO=security@example.com RADAR_NOTIFICATION_SLACK_WEBHOOK_URL= RADAR_NOTIFICATION_DEDUPE_TTL=86400 RADAR_NOTIFICATION_SCHEDULE_ENABLED=true RADAR_NOTIFICATION_SCHEDULE_TIME=02:00 RADAR_NOTIFICATION_SCHEDULE_TIMEZONE=
See the configuration documentation for the full config reference.
Dependency sources
Radar reads dependency information from package manager files and installed package metadata.
Composer support includes:
- package inventory from
composer.lock - fallback inventory from
vendor/composer/installed.json - vulnerability findings from
composer audit --format=json - outdated direct dependencies from Composer's outdated output
- abandoned package metadata from Composer package data
NPM support includes:
- package inventory from
package-lock.json - fallback direct package inventory from
node_modules/*/package.json - vulnerability findings from
npm audit --json - outdated direct dependencies from NPM's outdated output
Supported Node runners
Radar detects the JavaScript package manager from the project lock file and uses that runner when suggesting safe NPM update commands.
| Lock file | Runner | Example recommendation |
|---|---|---|
package-lock.json |
npm | npm update vite |
npm-shrinkwrap.json |
npm | npm update vite |
yarn.lock |
Yarn | yarn up vite |
pnpm-lock.yaml |
pnpm | pnpm update vite |
bun.lock |
Bun | bun update vite |
bun.lockb |
Bun | bun update vite |
If no known lock file exists, Radar falls back to npm.
Testing
Run the PHP checks:
composer test
Run frontend checks while working on dashboard assets:
npm run test:lint npm run test:types npm run build
License
Laravel Radar is open-sourced software licensed under the MIT license.
joshdonnell/radar 适用场景与选型建议
joshdonnell/radar 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2 次下载、GitHub Stars 达 9, 最近一次更新时间为 2026 年 05 月 06 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「laravel」 「dependencies」 「radar」 「cve」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 joshdonnell/radar 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 joshdonnell/radar 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 joshdonnell/radar 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Dependencies resolver for Symfony Bundles
Dependency graph visualization for composer.json
g4 dependencies injection container based on Pimple
Provides Function To Check if a plugin is active/inactive & function to compare versions.
Enforce architecture by defining modules with allowed dependencies. Detects forbidden, uncovered, missing and unused module dependencies in PHP projects.
PHP SDK for interfacing with radar.com
统计信息
- 总下载量: 2
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 9
- 点击次数: 46
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-05-06
