supplychain Restricting Composer plugins across your organization This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, blocking malware downloads for every Composer version, and enforcing a safe Composer version across your organization. Composer plugins are a powerful
supplychain Enforce a safe Composer version across your organization This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, and blocking malware downloads for every Composer version. While the protections we have shipped try their best to cover older Composer
supplychain Blocking malware downloads for every Composer version in Private Packagist This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, and the recent post on closing Composer's download fallback paths. Composer 2.10's dependency policy framework is a substantial step forward for PHP supply
supplychain Closing Composer's download fallback paths in Private Packagist This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer&
changelog What's new in Private Packagist, May 2026 Update Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most notable changes. Support for malware filter lists We've added support for malware filter lists to help
Private Packagist Bitbucket deprecated App Passwords Bitbucket announced that they deprecated app passwords in favor of their new API token system. This change affects organizations using Private Packagist with Bitbucket Cloud (bitbucket.org) workspace synchronizations. Bitbucket app passwords will stop working entirely on June 9th, 2026. Bitbucket's app passwords provided limited functionality and security
Private Packagist Working with Amasty's new Project-Based Access Keys Amasty recently announced that starting January 1, 2026, they will be discontinuing global Composer access keys generated in the "Products" tab of customer accounts. Instead, they're moving to project-specific access keys that provide better security and cleaner dependency management by tying Composer access directly to
changelog What’s New in Private Packagist, February 2025 Update While we’re also putting the final touches on Conductor, our team has shipped regular updates and improvements to Private Packagist. We’ll share some significant changes we've made to Private Packagist over the past few months. Support for PIE We've introduced support for php-ext
security Discover Security Advisories with Composer’s audit command Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your
opensourcepledge Private Packagist is joining the Open Source Pledge We're joining the Open Source Pledge because our business is built on and with open-source software. We will spend at least $2,000 per full-time developer on open-source projects and maintainers. Sentry launched this initiative after a $500,000 distribution across their open-source dependencies,
security CVE-2022-24828: Composer Command Injection Vulnerability Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within
Private Packagist Introducing: Update Review As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update
Private Packagist Installing Composer Packages from Monorepos with Private Packagist A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish
