What’s New in Private Packagist, May Update

Private Packagist has been evolving steadily over the past three months with a focus on API improvements, enhanced security, and refined user experience. Let's dive into the significant updates that have been introduced since February.

API Improvements

Our API credentials have undergone a comprehensive overhaul, with the standout feature being the ability to create API credentials with expiration dates. This enhancement allows for temporary access grants that automatically deactivate after a specified period, reducing the security risks associated with long-lived credentials. We've also introduced a new credential format with distinct prefixes (packagist_ack_ for API keys and packagist_acs_ for secrets) supporting automatic secret scanning. The credential creation is now rate-limited to prevent abuse, and entries to the organization log are added for changes made to API credentials. Additionally, the API now returns data like the creation dates of suborganizations, providing better visibility into your organization structure.

Enhanced Security Features

We've implemented several security enhancements to fortify your organization's package management infrastructure. Account protection has been our primary focus, with stronger user account security now requiring password confirmation when adding email addresses and mandating verification of non-primary emails before they can be used for login. We've also improved session management by changing the session ID when users change sensitive information like passwords, usernames, or email addresses. To prevent interruptions, the currently active session is automatically migrated to the new ID. This comprehensive approach minimizes the window for potential session hijacking attempts. 

Conductor

We continue to make great progress on Conductor. We’ve rolled it out to additional users, but you can still join the waitlist! We introduced a first set of configuration options, allowing you to override default dependency grouping behavior and selecting which dependencies should not be updated automatically. Updates including composer.json modifications are now also scheduled for dependencies with pinned version constraints in the composer.json file. Additionally, when Conductor closes a pull request we now add a comment explaining why Conductor is closing it.

User Experience Enhancements

We've refined the Private Packagist interface to improve daily usability, starting with replacing the user profile link in the top navigation with an intuitive avatar dropdown menu that better organizes user-related functions. We have also introduced a side navigation on the profile pages to make navigation between the different sections easier.

Notification System Refinements

Notification channels allow you to stay in the loop about new package releases, security advisories in your dependencies and when any of your packages get abandoned. To reduce unwanted noise, release notifications for new packages can now be configured to exclude any abandoned and renamed packages, helping you stay focused on what matters to you.

Mirrored Repository Permission & Access Control Improvements

Managing permissions across complex organizational structures is now more straightforward. Mirrored repositories that are shared across suborganizations now have stricter access controls if they are in use at the organization level. Only organization owners, admins, and users with mirrored repository management permissions on the organization level will be able to edit the mirrored repositories. Mirrored repositories that are disabled on the organization level can still be edited by suborganization admins, as long as they have admin permissions in all suborganizations to which the mirrored repository is assigned. This change ensures that critical package sources remain protected and prevents accidental changes by suborganization members to shared mirrored repositories that affect the entire organization.

Performance Optimizations

We've made significant performance improvements to ensure Private Packagist keeps running smoothly for organizations of all sizes. Users with access to over 1000 packages will notice that viewing information of a single package will now load significantly faster. Extracting changelog information from GitHub/GitLab releases for packages in multi-package repositories now happens only once, preventing API rate limit issues that previously affected large repositories and which caused package information to be updated with a delay.

What Else is New?

We’ve listed the most important changes here, but if you are looking for the full list of all changes and bug fixes, please take a look at our changelog.

If you have any questions or want to learn more about specific features, feel free to reach out to our support team at any time!