Feature Idea: /vendor/composer/installed.json Check

[sbani]

Hi,

first, thank you for delivering such great software again and again.

A little background:
I work as a Pentester and I found a website that was exposing the file /vendor/composer/installed.json but not composer.lock.
I wanted to check for advisories for the used packages but that is not possible with your tool out of the box. I had to change the json slightly.

I have thought about adding the ability to read this file for this tool. However, I am not sure if this is useful. Maybe it is not the domain that this tool has.

What do you think?

I'm happy to contribute myself if you think it's useful!

[mxr576]

composer audit checks installed deps by default instead of locked ones.