Nils Adermann - Private Packagist

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of

composer

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 12 hours of receiving the report

Git Clone Security Vulnerability

On March 9th, the Git project published new releases for maintained branches to address security vulnerability CVE-2021-21300. We recommend you update your Git installation to a release containing the fix. On case-insensitive filesystems with symbolic links (e.g. Windows/NTFS, or OS X/APFS) the vulnerability allows git repositories to

composer

Installing Composer Packages from Monorepos with Private Packagist

A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish one of

composer

Preventing Dependency Confusion in PHP with Composer

Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get companies to install and run his malicious code on their

security

Security Monitoring for Composer Projects

As of today Private Packagist automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your own choosing. This feature is

Composer 1.10: composer fund

You can now update Composer to 1.10 with the composer.phar self-update command. The full changelog for 1.10 is available on GitHub as usual, listing all the small new features and bugfixes in this release. Composer 1.10 ships with a new feature which matters a lot to

Private Packagist for Vendors

If you're selling PHP packages, the easiest way to offer Composer package installation to your customers is now Private Packagist for Vendors. You get a unique URL and authentication token for each customer and they can use these in their composer.json file to install your packages. Especially if you're

Private Packagist for Agencies: Projects

Today we're happy to present a new feature on Private Packagist: per-project Composer repositories with simplified permissions for agencies and other companies who manage multiple independent Composer projects which cannot share all packages. We originally built Private Packagist with product companies in mind who need an organization wide private Composer

Private Packagist Synchronization

How synchronization with GitHub, GitLab and Bitbucket automates the management of a Private Packagist organization and its Composer repository

Custom Package Definitions

Would you like to use code in your project which is only available for download as a zip file but you’re managing dependencies with Composer? There are a few options to consider: the package repository type, creating your own Git repo to track the zip file’s state or the artifact repository type.

Tagged a new release for Composer and it won’t show up on Packagist?

This is probably the most common support question we see both on Packagist.org and on Private Packagist: A Composer user tags a new library version but they cannot install it because it won’t show up on Packagist.

Private Packagist Enterprise

Private Packagist as an on-premises product with integrations with GitHub Enterprise, Bitbucket Server / Stash and self-hosted GitLab

Meet us at a conference near you!

We will be attending a number of conferences over the next months and hope to meet you there! If you’re already using Private Packagist we would love to hear your feedback! If you aren’t using Private Packagist yet, stop by to get a live demo and to get all your questions answered in person!

Bitbucket & GitLab Integration

Synchronization is now available for Bitbucket and GitLab users! Please give it a try and send us your feedback, we’d love to better understand if it helps or how it could be made even more useful for you specifically.

Mirroring Composer Packages

Redundancy and Dependency Integrity with Private PackagistWhen you first run Composer, you usually install some open-source dependencies from its default package archive packagist.org. Packagist.org is the public repository for all open-source PHP packages. So when you add an open-source dependency to your project Composer fetches its metadata, its

Mirroring Magento Marketplace Packages in Private Packagist

As of today Private Packagist supports mirroring Composer repositories which require authentication. This expands on the mirroring functionality we were already providing for Packagist.org and other open Composer repositories like Drupal’s or Wordpress’.

Private Packagist License Review

We’re excited to announce the availability of a new feature for Private Package that will help you understand and manage your dependencies better: License Review.

Introducing Private Packagist

We are extremely excited to announce our newest product addition to PHP dependency management: Private Packagist. A service designed to help businesses of any size use Composer more effectively and with greater confidence.