This package ensures that your application doesn't have installed dependencies with known security vulnerabilities.

...

The checks are only executed when adding a new dependency via composer require or when running composer update: deploying an application with a valid composer.lock and via composer install won't trigger any security versions checking.

https://github.com/Roave/SecurityAdvisories

Awesome idea! It works by leveraging the "conflict"-property in the composer.json-file of the package.