Private Packagist - Private Packagist

Closing Composer's Download Fallback Paths in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer&

changelog

What's New in Private Packagist, May 2026 Update

Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most notable changes. Support for Malware Filter Lists We've added support for malware filter lists to help

Private Packagist

Bitbucket deprecated App Passwords

Bitbucket announced that they deprecated app passwords in favor of their new API token system. This change affects organizations using Private Packagist with Bitbucket Cloud (bitbucket.org) workspace synchronizations. Bitbucket app passwords will stop working entirely on June 9th, 2026. Bitbucket's app passwords provided limited functionality and security

Private Packagist

Working with Amasty's new Project-Based Access Keys

Amasty recently announced that starting January 1, 2026, they will be discontinuing global Composer access keys generated in the "Products" tab of customer accounts. Instead, they're moving to project-specific access keys that provide better security and cleaner dependency management by tying Composer access directly to individual

changelog

What’s New in Private Packagist, February 2025 Update

While we’re also putting the final touches on Conductor, our team has shipped regular updates and improvements to Private Packagist. We’ll share some significant changes we've made to Private Packagist over the past few months. Support for PIE We've introduced support for php-ext metadata,

security

Discover Security Advisories with Composer’s audit command

Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your

opensourcepledge

Private Packagist is joining the Open Source Pledge

We're joining the Open Source Pledge because our business is built on and with open-source software. We will spend at least $2,000 per full-time developer on open-source projects and maintainers. Sentry launched this initiative after a $500,000 distribution across their open-source dependencies, and others followed. Sustainability

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of

Private Packagist

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update

Private Packagist

Installing Composer Packages from Monorepos with Private Packagist

A monorepo is a single repository that stores the source code of several or all packages of an organization. One of the biggest advantages of using monorepos is that it's easier to share and reuse code across multiple packages inside the monorepo. However, when you want to publish