Composer Command Injection Vulnerability Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from
Git Clone Security Vulnerability On March 9th, the Git project published new releases for maintained branches to address security vulnerability CVE-2021-21300. We recommend you update your Git installation to a release containing the fix. On case-insensitive filesystems
composer Installing Composer Packages from Monorepos with Private Packagist A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share
packagist.org Deprecating Packagist.org support for Composer 1.x As you are hopefully aware by now, Composer 2.0 was released in late October 2020. We hinted in the release announcement that Composer 1.x was pretty much EOL and today I
composer Preventing Dependency Confusion in PHP with Composer Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" in which he explains how he used language level package managers like npm (Javascript)
composer PHP Versions Stats - 2020.2 Edition See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2, 2019.1, 2019.2 and 2020.1 for previous similar posts. A quick note on methodology, because all
Composer 2.0 is now available! 1/ What's new?The list of changes and improvements is long, check the complete changelog if you are interested in reading it all. I will highlight a few key points here. Performance improvementsWe
Security Monitoring for Composer Projects As of today Private Packagist automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by
Composer and default git branches Last week a lot of people decided to change their default branch name away from master to use more inclusive language in technology (read Scott Hanselman explain why and how). As we fielded
composer PHP Versions Stats - 2020.1 Edition See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2, 2019.1 and 2019.2 for previous similar posts. A quick note on methodology, because all these stats
composer Composer 2 Development Update Back in September 2018 we started working on a 2.0 branch for Composer. It took us a while to get there as we refactored, trying to bake in all the things we
Composer 1.10: composer fund You can now update Composer to 1.10 with the composer.phar self-update command. The full changelog for 1.10 is available on GitHub as usual, listing all the small new features and
composer PHP Versions Stats - 2019.2 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2 and 2019.1 for previous similar posts. A quick note on methodology, because all these
composer PHP Versions Stats - 2019.1 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1 and 2018.2 for previous similar posts. A quick note on methodology, because all these stats are
Private Packagist for Vendors If you're selling PHP packages, the easiest way to offer Composer package installation to your customers is now Private Packagist for Vendors. You get a unique URL and authentication token for each customer
packagist.org An Update on Packagist.org Hosting As we announced a bit over a week ago, we recently did some heavy server maintenance on the packagist.org website. I wanted to share some more details about the current infrastructure behind the website and how we got there.
Private Packagist for Agencies: Projects Today we're happy to present a new feature on Private Packagist: per-project Composer repositories with simplified permissions for agencies and other companies who manage multiple independent Composer projects which cannot share all packages.
composer PHP Versions Stats - 2018.2 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2 and 2018.1 for previous similar posts. A quick note on methodology, because all these stats are imperfect as
Private Packagist Synchronization How synchronization with GitHub, GitLab and Bitbucket automates the management of a Private Packagist organization and its Composer repository
Custom Package Definitions Would you like to use code in your project which is only available for download as a zip file but you’re managing dependencies with Composer? There are a few options to consider: the package repository type, creating your own Git repo to track the zip file’s state or the artifact repository type.
Tagged a new release for Composer and it won’t show up on Packagist? This is probably the most common support question we see both on Packagist.org and on Private Packagist: A Composer user tags a new library version but they cannot install it because it won’t show up on Packagist.
Private Packagist Enterprise Private Packagist as an on-premises product with integrations with GitHub Enterprise, Bitbucket Server / Stash and self-hosted GitLab
Meet us at a conference near you! We will be attending a number of conferences over the next months and hope to meet you there! If you’re already using Private Packagist we would love to hear your feedback! If you aren’t using Private Packagist yet, stop by to get a live demo and to get all your questions answered in person!
Bitbucket & GitLab Integration Synchronization is now available for Bitbucket and GitLab users! Please give it a try and send us your feedback, we’d love to better understand if it helps or how it could be made even more useful for you specifically.
Mirroring Composer Packages Redundancy and Dependency Integrity with Private PackagistWhen you first run Composer, you usually install some open-source dependencies from its default package archive packagist.org. Packagist.org is the public repository for all open-source
