Private Packagist

Introducing: Update Review

Stephan Vock, Nils Adermann

4 min read

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost.

We love it! With the Private Packagist Update Review, we can quickly see what has changed in our lock file and not worry about unexpected consequences.

Rafael Dohms, Momentive

Code reviews are an important part of developing software in a team. While processes vary, the idea of having team members check code changes to find bugs, problems or security vulnerabilities is ubiquitous among software developers. At the same time third party dependencies often comprise a majority of a modern application's lines of code. And yet, reviewing changes to these dependencies is often neglected or skipped entirely.

Changes to dependencies introduced by a composer update can have inadvertent consequences. An upgrade of a dependency of a dependency may introduce unnoticed backward compatibility breaks, causing bugs in your application - at least, if any of the functionality wasn't covered by tests. A new package from an untrusted third party could be introduced by an updated version of a dependency, or through a mistake in the composer.json requirements.

All changes introduced by composer update are stored in the composer.lock file. So as long as you version it in your VCS repository, it can be reviewed. We recommend reviewing composer.lock changes carefully, just like you review source code. Especially in the context of supply chain security attacks, like "Preventing Dependency Confusion in PHP with Composer", we've pointed out the need to review lock file changes. You should also try to update less packages at a time but more frequently with partial updates to reduce the complexity and risk of individual updates.

But let’s not kid ourselves: reading composer.lock diffs is hard. They are long, hidden by default, and don’t show you enough context to fully understand what is happening. Private Packagist Update Review is here to change that! We post a human-readable summary of composer.lock changes on your pull requests and keep the comment updated to stay aligned with any changes.

Pull request comment example on GitHub

There are two sets of changes we detect: Package changes, namely additions, removals, upgrades, and downgrades; and important metadata changes including changes to the source and dist download URLs, as well as commit reference changes for unmodified version numbers. Making it easier to spot any unexpected changes before they get merged.

We provide direct links to code diffs between updated versions and relevant changelog entries extracted from the packages. So you have quick access to all the relevant information to determine if there may be problems you need to consider when reviewing the rest of the code changes. No need anymore to browse websites, search documentation files or look for changelog files in git repositories, we'll take care of that for you!

Screenshot of the changelog of the package bitbucket/client on Private Packagist

Customer Feedback

We'd like to thank all our beta testers for their valuable input and are looking forward to hearing from you about how the summary comment helped you in your daily work or any other feedback you might have! These are quotes from some of our valued customers and beta testers:

So far we've enjoyed using the feature and it simplifies a great deal the pull requests involving composer dependency updates. With 3 lines one can easily see what's actually changed in an otherwise hard to read change set.

Constantin Șerban-Rădoi, GetYourGuide
We are happy about the Private Packagist bot commenting to help us make sure we don’t accidentally commit dependency updates.
Additionally it gives us a great overview of the changes in the composer.lock in a human readable form.

Markus Staab, Complex
Finally, there is no need to manually parse the composer.lock file changes any more! Just read through the automatically generated comment and you know exactly what has been added / upgraded / downgraded / removed. Having direct links to the respective diff and changelog is quite handy as well to quickly check what is included in the respective change.

Simon Sprankel, CustomGento

Enabling Update Review

Update Review is automatically enabled for all VCS repositories that Private Packagist has access to through a synchronization with GitHub, Bitbucket and GitLab as well as GitHub Enterprise and self-managed GitLab.

Update Review comments are posted as soon as we get notified about a new pull request by a webhook. So the comment will be easy to find as one of the first items in the pull request. To make sure you don’t miss any edits, we post a new one-line comment every time we change the summary comment. You can disable one-line comments on the synchronization page in Private Packagist, if you prefer not to receive them. You can also fully disable the feature there.

At this point, only comments created via our GitHub app will be posted as the private-packagist bot that can be seen on the screenshot. In all other cases, the comments will be posted with the credentials used by the synchronization and therefore in the name of the user owning the credentials. A way to work around this, is to have a bot user on your platform and replace the credentials in Private Packagist with the credentials of that user.