Know before you upgrade

Upload your composer.lock and get an instant health check of your TYPO3 installation — upgrade readiness, known vulnerabilities, and a full CycloneDX SBOM. No login. No data stored.

Start Audit Learn more

What you get

Three checks, one upload

Every audit runs three independent analyses on your dependency tree.

▲

Upgrade Readiness

Checks every TYPO3 package against Packagist to see if a version compatible with your target major release exists. Green, yellow, or red — per package.

■

Vulnerability Scan

Queries the OSV.dev database for all packages in your lock file. Shows CVE IDs, summaries, and CVSS severity scores. Zero false positives from version-precise matching.

●

SBOM Export

Generates a CycloneDX 1.5 JSON Software Bill of Materials with full dependency tree. Compatible with Dependency-Track, Grype, Trivy.

Example output

Your report at a glance

A real audit produces a tabbed report with upgrade status, vulnerabilities, and a downloadable SBOM.

packages

ready

pre-release

blocked

vulnerability

ready typo3/cms-core v12.4.22 v13.4.2

ready georgringer/news 11.4.0 12.0.0

pre-release in2code/powermail 10.7.0 12.0.0-rc1

blocked gridelements/gridelements 11.0.2 --

blocked mask/mask 8.3.0 --

How it works

Three steps, no setup

The audit runs entirely server-side. Your lock file is parsed in memory and never stored.

Upload composer.lock

Drag and drop or browse for your file. Select the target TYPO3 major version (v12 or v13).

Kula checks Packagist + OSV

Each TYPO3-typed package is checked against Packagist for upgrade compatibility. All packages are batch-queried against the OSV vulnerability database.

Get your report

A tabbed report shows upgrade readiness, vulnerabilities, and a downloadable CycloneDX 1.5 SBOM — all in one view.

For your TYPO3 backend

EXT:kula_audit

Install the companion TYPO3 extension to run audits directly from the backend — with a Dashboard widget, Admin Tools module, and a schedulable CLI command.

Dashboard Widget

Traffic light indicator on your TYPO3 Dashboard. Green, yellow, or red — at a glance. Links to the full report.

Backend Module

Full detail tables under Admin Tools. Upgrade readiness and vulnerability data side by side. One-click "Run Audit" button.

CLI Command

vendor/bin/typo3 kula:audit — run from terminal or CI/CD. Supports --json output and --force cache bypass.

Scheduler

Schedule daily audits via TYPO3 Scheduler. Results cached in sys_registry for 24 hours. Always up to date.

      # Install the extension

      composer require dkd/kula-audit

      # Run your first audit

      vendor/bin/typo3 kula:audit

For developers

JSON API

Integrate the audit into your own tools via the REST endpoint.

      # POST composer.lock, get JSON report

      curl -X POST https://app.kula-audit.de/api/audit \

        -F "file=@composer.lock" \

        -F "target=13"