packagist.org - Private Packagist

Discover Security Advisories with Composer’s audit command

Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your

composer

Shutting down Packagist.org support for Composer 1.x

Composer 1.x has served the PHP community well, but with Composer 2.0 released four years ago in October 2020, it's time to move forward. As of today, more than 95% of Composer updates are using v2, benefiting from its significant improvements in performance, memory usage, and

security

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.com/

Private Packagist

Installing Composer Packages from Monorepos with Private Packagist

A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish

packagist.org

Deprecating Packagist.org support for Composer 1.x

As you are hopefully aware by now, Composer 2.0 [https://getcomposer.org/2] was released in late October 2020. We hinted in the release announcement that Composer 1.x was pretty much EOL and today I want to expand a bit on the timeline we have in mind for

composer

Preventing Dependency Confusion in PHP with Composer

Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610] in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get companies to

composer

PHP Versions Stats - 2020.2 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

security

Security Monitoring for Composer Projects

As of today Private Packagist [https://packagist.com] automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your

composer

PHP Versions Stats - 2020.1 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

composer

PHP Versions Stats - 2019.2 Edition

It's stats o'clock! See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1

composer

PHP Versions Stats - 2019.1 Edition

It's stats o'clock! See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1

packagist.org

An Update on Packagist.org Hosting

As we announced a bit over a week ago, we recently did some heavy server maintenance on the packagist.org website. I wanted to share some more details about the current infrastructure behind the website and how we got there.

composer

PHP Versions Stats - 2018.2 Edition

It's stats o'clock! See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition] and 2018.