security - Private Packagist

Restricting Composer plugins across your organization

This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, blocking malware downloads for every Composer version, and enforcing a safe Composer version across your organization. Composer plugins are a powerful

supplychain

Enforce a safe Composer version across your organization

This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, and blocking malware downloads for every Composer version. While the protections we have shipped try their best to cover older Composer

supplychain

Blocking malware downloads for every Composer version in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, and the recent post on closing Composer's download fallback paths. Composer 2.10's dependency policy framework is a substantial step forward for PHP supply

supplychain

Closing Composer's download fallback paths in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer&

composer

Composer 2.10 Release

We are excited to announce the release of Composer 2.10.0, introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of security advisories, abandoned packages, and now malware. Fast detection of malware for packages published on Packagist.org is provided by Aikido.

composer

An update on Composer & Packagist supply chain security

The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages

security

Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages

Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKENs or GitHub App installation tokens to the GitHub Actions logs. GitHub introduced

composer

Composer 2.9.6 fixes Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176)

Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver, that also affected users without Perforce and not actively using the driver. CVE-2026-

opensource

Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org

The release of Composer 2.9 this week introduced new security features on the Composer CLI client, which were funded by Private Packagist through service subscriptions. But in parallel, we are working on security on the main PHP package repository at Packagist.org with additional funding from the Sovereign Tech

composer

Composer 2.9 Release

We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating

security

Discover Security Advisories with Composer’s audit command

Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your

composer

Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega

Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with

composer

Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation

Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability does not impact packagist.

security

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

composer

Composer 2.4 Release

Auditing dependencies for known security vulnerabilities Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring [https://blog.packagist.com/security-monitoring/] to notify

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within

Private Packagist

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.

security

Git Clone Security Vulnerability

On March 9th, the Git project published new releases [https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/] for maintained branches to address security vulnerability CVE-2021-21300 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300]. We recommend you update your Git installation to

composer

Preventing Dependency Confusion in PHP with Composer

Alex Birsan recently published his article "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610] in which he explains how he used language level package managers like npm (Javascript), pip (Python), and gems (Ruby) to get

security

Security Monitoring for Composer Projects

As of today Private Packagist [https://packagist.com] automatically keeps track of security vulnerabilities in your Composer project dependencies. When we notice you are using a vulnerable version of a dependency we'll alert you either by email, on Slack, on Microsoft Teams, or through a webhook of your