Nils Adermann - Private Packagist

Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages

Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced a

composer

Composer 2.9.6 fixes Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176)

Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver, that also affected users without Perforce and not actively using the driver. CVE-2026-40261 was reported

opensourcepledge

Private Packagist 2025 contributions for the Open Source Pledge

This is now our third year as a member of the Open Source Pledge. Private Packagist subscriptions help fund not only the development of Composer and Packagist.org, but also the open source dependencies we rely on to build and run our commercial product. In 2025, we contributed a total

opensource

A Call for Sustainable Open Source Infrastructure

Today, we joined other major package registries in signing an important joint statement on sustainable stewardship of open source infrastructure. Together with Maven Central, PyPI, crates.io, Open VSX, OpenJS Foundation, OpenSSF and Alpha-Omega, we're addressing a critical challenge: the growing gap between infrastructure usage and support. The

composer

Packagist.org shutdown of Composer 1.x support postponed to September 1st, 2025

With the deadline drawing near, we’d like to remind you that we are discontinuing Composer 1.x support on Packagist.org soon. We're extending our original timeline by one month to give teams additional preparation time to migrate. Composer 1.x metadata access will now shut down

opensource

The Reality of Funding Open Source

As the founder of Packagist Conductors, a small company with just eight employees, I've had a front-row seat to one of the most pressing challenges in software development today: sustainable open source funding. We found our own way to fund a major open source project, and managed to

opensourcepledge

Private Packagist is joining the Open Source Pledge

We're joining the Open Source Pledge because our business is built on and with open-source software. We will spend at least $2,000 per full-time developer on open-source projects and maintainers. Sentry launched this initiative after a $500,000 distribution across their open-source dependencies, and others followed. Sustainability

composer

Shutting down Packagist.org support for Composer 1.x

Composer 1.x has served the PHP community well, but with Composer 2.0 released four years ago in October 2020, it's time to move forward. As of today, more than 95% of Composer updates are using v2, benefiting from its significant improvements in performance, memory usage, and

composer

Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega

Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with

composer

Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation

Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability does not impact packagist.org and Private

security

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of

Private Packagist

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.com/

security

Git Clone Security Vulnerability

On March 9th, the Git project published new releases [https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/] for maintained branches to address security vulnerability CVE-2021-21300 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300]. We recommend you update your Git installation to a release containing the fix.

Private Packagist

Installing Composer Packages from Monorepos with Private Packagist

A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish

composer

Preventing Dependency Confusion in PHP with Composer

Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610] in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get companies to

security

Security Monitoring for Composer Projects

As of today Private Packagist [https://packagist.com] automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your

Composer 1.10: composer fund

You can now update Composer to 1.10 with the composer.phar self-update command. The full changelog for 1.10 is available on GitHub [https://github.com/composer/composer/releases/tag/1.10.0] as usual, listing all the small new features and bugfixes in this release. Composer 1.10

Private Packagist for Vendors

If you're selling PHP packages, the easiest way to offer Composer package installation to your customers is now Private Packagist for Vendors [https://packagist.com/vendors?utm_source=blog&utm_medium=link&utm_content=vendors] . You get a unique URL and authentication token for each customer

Private Packagist for Agencies: Projects

Today we're happy to present a new feature on Private Packagist [https://packagist.com/?utm_source=blog&utm_medium=link&utm_content=agencies]: per-project Composer repositories with simplified permissions for agencies and other companies who manage multiple independent Composer projects which cannot share all packages. We

Private Packagist Synchronization

How synchronization with GitHub, GitLab and Bitbucket automates the management of a Private Packagist organization and its Composer repository

Custom Package Definitions

Would you like to use code in your project which is only available for download as a zip file but you’re managing dependencies with Composer? There are a few options to consider: the package repository type, creating your own Git repo to track the zip file’s state or the artifact repository type.

Tagged a new release for Composer and it won’t show up on Packagist?

This is probably the most common support question we see both on Packagist.org and on Private Packagist: A Composer user tags a new library version but they cannot install it because it won’t show up on Packagist.

Private Packagist Enterprise

Private Packagist as an on-premises product with integrations with GitHub Enterprise, Bitbucket Server / Stash and self-hosted GitLab