What’s New in Private Packagist, February Update

While we’re also putting the final touches on Conductor, our team has shipped regular updates and improvements to Private Packagist. We’ll share some significant changes we've made to Private Packagist over the past few months.

Support for PIE

We've introduced support for php-ext metadata, which is utilized by the PHP Installer for Extensions (PIE). PIE allows you to install PHP extensions directly from Packagist repositories. This change makes it possible to use your Private Packagist repositories for managing PHP extensions as well, just as you would any regular Composer package.

Organization Setup Progress

When you create a new organization, we now show you the instructions to set up your organization, along with your setup progress. You can always hide this information and access it again from within your organization settings page.

Streamlined GitHub Integration

We've made substantial improvements to our GitHub integration capabilities. Organizations can now reuse the GitHub App across multiple Private Packagist organizations and suborganizations without requiring separate personal access tokens. This update simplifies the setup process and provides better integration management across your organizations.

Furthermore, Private Packagist now supports GitHub's new organization roles to determine team and user access permissions, offering more granular control over repository access.

Security Updates and Notifications

We've improved our security notification system to provide more detailed information about security vulnerabilities. The security issues list now includes direct links to affected dependencies, making it easier to identify and address potential security concerns.

Subrepositories were renamed to Suborganizations

To provide better clarity in our terminology, we've renamed Private Packagist subrepositories to suborganizations. We’ve regularly had to answer questions about our pricing plans which include unlimited VCS/Git repositories on all plans, but limit the number of suborganizations. We hope this change will make it clearer what suborganizations refer to. They are usually used by agencies to separate accessible packages for different clients.

We've also improved the organization statistics shown on the organization overview page by implementing precalculation, resulting in significantly faster page load times. The members count in the organization overview now also includes members of the billing team, and the teams count excludes empty suborganization collaborator teams.

API Improvements

All package and suborganization package endpoints now accept the package ID as well as the package name. Previously, these endpoints only accepted the package name. This change makes it possible to remove duplicated packages using the same name correctly.

Security Enhancements

Security remains our top priority. To further bolster our security measures, we've implemented immediate invalidation of MFA codes after use. This prevents the reuse of an MFA code within its designated short time window, adding an extra layer of protection to your account and ensuring that your account remains secure against potential misuse. We have contributed our changes upstream to the Spomky-Labs/otphp package as well, so check those out if you rely on the same TOTP implementation! Thanks are due to Abhishrey Gupta for reporting this issue through our bug bounty program.

We've addressed a security vulnerability where accepting an email invitation to an organization, which wasn’t using synchronization with GitHub, Bitbucket or GitLab, could potentially have allowed access to a different team within that organization if the attacker correctly guessed the team id and got a legitimate invitation to another team in the same organization. Thanks go to Mohab Mohamed who reported this issue to us through our bug bounty program.

What Else is New?

We’ve listed the most important changes here, but if you are looking for the full list of all changes and bugfixes, please take a look at our changelog.

If you have any questions or want to learn more about specific features, feel free to reach out to our support team at any time!