composer Composer 2.10 Release We are excited to announce the release of Composer 2.10.0, introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of security advisories, abandoned packages, and now malware. Fast detection of malware for packages published on Packagist.org is provided by Aikido.
composer An update on Composer & Packagist supply chain security The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages
security Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced
composer Composer 2.9.6 fixes Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176) Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver, that also affected users without Perforce and not actively using the driver. CVE-2026-
composer Composer 2.9 Release We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating
opensource A Call for Sustainable Open Source Infrastructure Today, we joined other major package registries in signing an important joint statement on sustainable stewardship of open source infrastructure. Together with Maven Central, PyPI, crates.io, Open VSX, OpenJS Foundation, OpenSSF and Alpha-Omega, we're addressing a critical challenge: the growing gap between infrastructure usage and support.
composer Packagist.org shutdown of Composer 1.x support postponed to September 1st, 2025 With the deadline drawing near, we’d like to remind you that we are discontinuing Composer 1.x support on Packagist.org soon. We're extending our original timeline by one month to give teams additional preparation time to migrate. Composer 1.x metadata access will now shut down
security Discover Security Advisories with Composer’s audit command Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your
composer Shutting down Packagist.org support for Composer 1.x Composer 1.x has served the PHP community well, but with Composer 2.0 released four years ago in October 2020, it's time to move forward. As of today, more than 95% of Composer updates are using v2, benefiting from its significant improvements in performance, memory usage, and
composer Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with
composer Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability does not impact packagist.
composer Composer 2.4 Release Auditing dependencies for known security vulnerabilities Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring [https://blog.packagist.com/security-monitoring/] to notify
security CVE-2022-24828: Composer Command Injection Vulnerability Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within
composer Composer 2.3 Release Modernizing Composer internals As announced in the 2.2 release notes, Composer 2.3 increases the required PHP version to >=7.2.5 and thus stops supporting PHP 5.3.2 - 7.2.4. The 2.2 LTS is still there for users stuck on older PHP versions. This
composer Composer 2.2 Release LTS / Long Term Support The 2.2 minor release is an LTS (Long Term Support) release. We will provide bugfixes for critical bugs and security issues until at least the end of 2023, and will then reassess based on remaining usage. The reason we are doing this is that after
Private Packagist Introducing: Update Review As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update
security Composer Command Injection Vulnerability Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.
security Git Clone Security Vulnerability On March 9th, the Git project published new releases [https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/] for maintained branches to address security vulnerability CVE-2021-21300 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300]. We recommend you update your Git installation to
Private Packagist Installing Composer Packages from Monorepos with Private Packagist A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish
packagist.org Deprecating Packagist.org support for Composer 1.x As you are hopefully aware by now, Composer 2.0 [https://getcomposer.org/2] was released in late October 2020. We hinted in the release announcement that Composer 1.x was pretty much EOL and today I want to expand a bit on the timeline we have in mind for
composer Preventing Dependency Confusion in PHP with Composer Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610] in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get
composer PHP Versions Stats - 2020.2 Edition See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.
security Security Monitoring for Composer Projects As of today Private Packagist [https://packagist.com] automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your
composer PHP Versions Stats - 2020.1 Edition See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.
composer Composer 2 Development Update Back in September 2018 we started working on a 2.0 branch for Composer. It took us a while to get there as we refactored, trying to bake in all the things we learned maintaining the project since 2011. The funding from Private Packagist [https://packagist.com] subscriptions has provided
