What's New in Private Packagist, May 2026 Update

Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most notable changes.

Support for Malware Filter Lists

We've added support for malware filter lists to help protect your projects from compromised dependencies. Packages with versions flagged as malware now display a warning banner on the package page, and individual flagged versions are clearly marked in the version list so you can quickly identify which releases to avoid.

When using Composer 2.10 (scheduled to be released within the next week) or newer, composer audit will report these flagged versions, and  composer update will automatically exclude them. This complements our Security Monitoring feature focused on vulnerable package versions, with tooling to prevent malicious package versions published by bad actors from making their way into your projects.

Improved Visibility Into Package Permissions

Understanding who has access to which packages is essential for maintaining a secure organization. Package pages now include a new Permissions tab that shows exactly which teams in the organization have access to that particular package. This makes it much easier to audit access at a glance, without having to navigate through team configurations to piece together the picture.

Better Visibility Into Background Jobs and Synchronization Activity

We’ve overhauled background job progress tracking to provide more visibility into what’s happening behind the scenes in your organization. You can now see how many jobs are running concurrently and more details on current ongoing work are displayed. Synchronization progress now covers initialization phases of new packages and discovery of new versions, so you get a complete picture, rather than having to wait an unclear amount of time post synchronization to get access to all updated data.

GitLab Integration Improvements

We've reduced the permissions Private Packagist requests during GitLab OAuth login. Both OAuth and newly created GitLab integrations now require only the read_api scope instead of the full api scope, which wasn't yet available when our GitLab integration was initially built. This change significantly limits the access Private Packagist needs to your GitLab account. Existing GitLab integrations can opt in to these reduced scopes by first updating the allowed scopes in the GitLab OAuth application, then ticking the checkbox on the integration edit page in Private Packagist.

Security Hardening and Vulnerability Fixes

Security remains our top priority, and we've shipped several important improvements in this area. The fix for the Perforce driver command injection vulnerability (CVE-2026-40261) was the most notable change, which you can read about in detail in our blog post from April, 2026.

What Else Is New?

We've listed the most important changes here, but if you are looking for the full list of all changes and bug fixes, please take a look at our complete changelog.

If you have any questions or want to learn more about specific features, feel free to reach out to our support team at any time!