security CVE-2022-24828: Composer Command Injection Vulnerability Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of
security Composer Command Injection Vulnerability Please immediately update Composer to version 2.0.13 or 1.10.22 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2021-29472) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 12 hours of receiving the report
composer Installing Composer Packages from Monorepos with Private Packagist A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish one of
packagist.org Deprecating Packagist.org support for Composer 1.x As you are hopefully aware by now, Composer 2.0 was released in late October 2020. We hinted in the release announcement that Composer 1.x was pretty much EOL and today I want to expand a bit on the timeline we have in mind for the Packagist.org support
composer Preventing Dependency Confusion in PHP with Composer Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get companies to install and run his malicious code on their
composer PHP Versions Stats - 2020.2 Edition See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2, 2019.1, 2019.2 and 2020.1 for previous similar posts. A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look
security Security Monitoring for Composer Projects As of today Private Packagist automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your own choosing. This feature is
composer PHP Versions Stats - 2020.1 Edition See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2, 2019.1 and 2019.2 for previous similar posts. A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the
composer PHP Versions Stats - 2019.2 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1, 2018.2 and 2019.1 for previous similar posts. A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in
composer PHP Versions Stats - 2019.1 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2, 2018.1 and 2018.2 for previous similar posts. A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.
packagist.org An Update on Packagist.org Hosting As we announced a bit over a week ago, we recently did some heavy server maintenance on the packagist.org website. I wanted to share some more details about the current infrastructure behind the website and how we got there.
composer PHP Versions Stats - 2018.2 Edition It's stats o'clock! See 2014, 2015, 2016.1, 2016.2, 2017.1, 2017.2 and 2018.1 for previous similar posts. A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs
