security

Security Monitoring for Composer Projects

Nils Adermann

2 min read
Security Monitoring for Composer Projects

As of today Private Packagist automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your own choosing. This feature is available to all our customers at no additional cost.

When browsing your packages you will clearly see if any of them have open security issues you need to address. We provide you with a short description of the problem, as well as the CVE number and a link to additional information, if available. We additionally let you know which versions are safe to upgrade to and recommend specific safe versions you can upgrade to without BC breaks if the dependency follows semantic versioning.

Once you've committed the dependency upgrade to your composer.lock, Private Packagist automatically closes the security issue on your project. Alternatively you can manually close issues, for example if you were able to ascertain that the issue does not affect your project, or if you are going to address it in an upcoming release anyway.

You can optionally choose to receive weekly or monthly summaries to either remind you of open security issues or to simply keep track of any remaining work in securing your projects.

Packagist.org - Public Security Advisories API

Private Packagist subscriptions help fund our open-source development of Composer and Packagist.org. Security Monitoring is made possible with a new public security advisories API we added on our open-source package platform Packagist.org.

In this first version Packagist.org relies on the advisory database in https://github.com/FriendsOfPHP/security-advisories but we intend to aggregate additional sources, especially for specific frameworks and products with their own ecosystems. You can already view security issues in the Packagist.org user interface, for example https://packagist.org/packages/symfony/http-kernel/advisories. Vulnerable versions are highlighted with a red warning icon in the version list.

Setting up Security Monitoring

To start using Security Monitoring on your Private Packagist organization – if you don't have one yet, you can start a free trial! – simply make sure your projects with composer.lock files are added as regular packages. If you are using our synchronization with GitHub, Bitbucket or GitLab, this will happen automatically if your projects have a valid composer.json in the root directory. If you're not using synchronization or if you have multiple projects in one repository, go to the Packages tab and click on Add Package to add your project by URL.

We're looking forward to your feedback on this feature and hope to continue to improve Private Packagist as a reliable tool in your day to day development workflows.