What’s New in Private Packagist, August Update

We've been busy improving Private Packagist over the past few months with a focus on package discovery, user experience improvements, and improved security monitoring tools. Here are the most significant updates that will make your daily workflow smoother and more secure.

Better Package Discovery and Management

We've introduced a new usage tracking feature that helps you understand package dependencies better. Each package page now includes a link to a Usages page that shows all packages with committed lock files that use the current package. This makes it easier to understand how your dependencies are used across your packages and projects. With this information you can identify and update those projects that are using a version of an open-source package which no longer receives updates, or that are still using an old internal library you want to phase out, for example.

We've also improved the package creation process by adding better validation and clearer error messages when handling packages with duplicate names or URLs. Previously, the process would indicate that the action succeeded, while nothing actually happened and the original package remained in place. It’s also no longer possible to create a package from multiple uploaded files that have different names configured in the composer.json file, to avoid renaming artifact packages by accident. 

Enhanced Security Monitoring Features

Security monitoring received improvements to help you stay on top of vulnerabilities efficiently. Email notifications about security issues now include direct links to security advisories and CVE reports where available, and the API now returns the severity in the response when you retrieve security advisory information. We also fixed a recently introduced bug to make sure the available versions for packagist.org mirrored packages that resolve an open security issue are shown again.

Improved GitLab Integration

GitLab users will benefit from our new automatic token rotation feature. For GitLab versions 17.9.0 and above, Private Packagist now automatically rotates access tokens before they expire, eliminating the need for manual intervention and preventing service interruptions. Each rotation is logged in your organization log for full transparency.
We've also fixed compatibility issues with GitLab's new token format, ensuring seamless integration regardless of which token format you're using.

Conductor

We keep on refining Conductor based on user feedback and we’ve added a lot of great new features. You can now add custom labels to each glob pattern group, which are then used in task and pull request titles. We’ve made the update frequency configurable for each group to control how often pull requests are opened. Furthermore, you also benefit from smarter task handling. Instead of closing and opening a new pull request, Conductor will now update the existing pull request when new updates become available for the task. We are gradually rolling out Conductor to additional users, and you can still join the waitlist!

Update Review

Update Review has received several improvements to make code reviews more effective. We've fixed the diff links for Bitbucket, GitHub, and GitLab, ensuring they work correctly even when git tags don't match the version specified in composer.json files. The layout has also been improved to handle multiple tables in Bitbucket comments without breaking the layout, making it easier to review complex dependency updates.

These updates represent just a selection of the improvements we've made. For a complete list of all changes and bug fixes from the past few months, including additional improvements to the user interface and API functionality, please check our complete changelog.