Private Packagist

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

Composer 2.4 Release

Auditing dependencies for known security vulnerabilities Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring [https://blog.packagist.com/security-monitoring/] to notify customers

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5 [https://github.com/composer/composer/releases/tag/2.3.5], 2.2.12 [https://github.com/composer/composer/releases/tag/2.2.12], or 1.10.26 [https://github.com/composer/composer/releases/tag/1.10.26] (composer.phar self-update). The

Composer 2.3 Release

Modernizing Composer internals As announced in the 2.2 release notes [https://blog.packagist.com/composer-2-2/] , Composer 2.3 increases the required PHP version to >=7.2.5 and thus stops supporting PHP 5.3.2 - 7.2.4. The 2.2 LTS is still there for users stuck

Composer 2.2 Release

LTS / Long Term Support The 2.2 minor release is an LTS (Long Term Support) release. We will provide bugfixes for critical bugs and security issues until at least the end of 2023, and will then reassess based on remaining usage. The reason we are doing this is that after

composer

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. > We love it! With the Private Packagist Update

Sunsetting the PHP Version Stats Blog Series

Back in 2014 (a long time ago! PHP 5.6 was just released) I figured I actually had access to some interesting information on PHP usage in the Packagist.org logs. I wrote some shell commands to extract it and wrote the first blog post of the series [https://seld.

PHP Versions Stats - 2021.1 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.com/

Git Clone Security Vulnerability

On March 9th, the Git project published new releases [https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/] for maintained branches to address security vulnerability CVE-2021-21300 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300]. We recommend you update your Git installation to a release containing the fix.

composer

Installing Composer Packages from Monorepos with Private Packagist

A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages [https://en.wikipedia.org/wiki/Monorepo#Advantages] of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However,

packagist.org

Deprecating Packagist.org support for Composer 1.x

As you are hopefully aware by now, Composer 2.0 [https://getcomposer.org/2] was released in late October 2020. We hinted in the release announcement that Composer 1.x was pretty much EOL and today I want to expand a bit on the timeline we have in mind for

composer

Preventing Dependency Confusion in PHP with Composer

Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610] in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get companies to install and

composer

PHP Versions Stats - 2020.2 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

Composer 2.0 is now available!

1/ What's new? The list of changes and improvements is long, check the complete changelog [https://github.com/composer/composer/releases/tag/2.0.0] if you are interested in reading it all. I will highlight a few key points here. Performance improvements We overhauled pretty much everything from the

security

Security Monitoring for Composer Projects

As of today Private Packagist [https://packagist.com] automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your own choosing.

Composer and default git branches

Last week a lot of people decided to change their default branch name away from master to use more inclusive language in technology (read Scott Hanselman [https://www.hanselman.com/blog/EasilyRenameYourGitDefaultBranchFromMasterToMain.aspx] explain why and how). As we fielded questions from Composer package authors wondering what the impact would

composer

PHP Versions Stats - 2020.1 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

composer

Composer 2 Development Update

Back in September 2018 we started working on a 2.0 branch for Composer. It took us a while to get there as we refactored, trying to bake in all the things we learned maintaining the project since 2011. The funding from Private Packagist [https://packagist.com] subscriptions has provided

Composer 1.10: composer fund

You can now update Composer to 1.10 with the composer.phar self-update command. The full changelog for 1.10 is available on GitHub [https://github.com/composer/composer/releases/tag/1.10.0] as usual, listing all the small new features and bugfixes in this release. Composer 1.10

composer

PHP Versions Stats - 2019.2 Edition

It's stats o'clock! See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/

composer

PHP Versions Stats - 2019.1 Edition

It's stats o'clock! See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/

Private Packagist for Vendors

If you're selling PHP packages, the easiest way to offer Composer package installation to your customers is now Private Packagist for Vendors [https://packagist.com/vendors?utm_source=blog&utm_medium=link&utm_content=vendors] . You get a unique URL and authentication token for each customer and they can use

packagist.org

An Update on Packagist.org Hosting

As we announced a bit over a week ago, we recently did some heavy server maintenance on the packagist.org website. I wanted to share some more details about the current infrastructure behind the website and how we got there.

Private Packagist for Agencies: Projects

Today we're happy to present a new feature on Private Packagist [https://packagist.com/?utm_source=blog&utm_medium=link&utm_content=agencies]: per-project Composer repositories with simplified permissions for agencies and other companies who manage multiple independent Composer projects which cannot share all packages. We originally built Private Packagist