This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. ... The checks are only executed when adding a new dependency via `composer require` or when running `composer update`: deploying an application with a valid `composer.lock` and via `composer install` won't trigger any security versions checking.

https://github.com/Roave/SecurityAdvisories

Awesome idea! It works by leveraging the "conflict"-property in the composer.json-file of the package.