packagist3d ago

The Composer CLI is part of your supply chain. Older versions miss the protections shipped in 2.10 (dependency policies, malware feed integration, source fallback off by default) and carry known client-side CVEs.

Private Packagist customers can now enforce which Composer client versions are allowed to talk to their Composer repository, with a clear upgrade message shown in the developer's terminal when an outdated client tries to connect.

https://blog.packagist.com/enforce-a-safe-composer-version-across-your-organization/
#php #phpc #composerphp

Enforce a Safe Composer Version Across Your Organization

This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, and blocking malware downloads for every Composer version. While the protections we have shipped try their best to cover older Composer versions too,

Private Packagist
packagist5d ago

⛔ Composer dependency policies block flagged malware by default, but only on 2.10. A project disabling the policy, or a CI image running Composer 2.4, still installs flagged versions normally until we can manually pull it from Packagist.

Private Packagist now refuses to serve dist files for malware-flagged versions at the repository level, regardless of the Composer version requesting them. Enabled by default for new and existing organizations.

https://blog.packagist.com/blocking-malware-downloads-for-every-composer-version-in-private-packagist/

#php #phpc #composerphp

Blocking Malware Downloads for Every Composer Version in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, and the recent post on closing Composer's download fallback paths. Composer 2.10's dependency policy framework is a substantial step forward for PHP supply chain security. It removes

Private Packagist
packagistJun 1
🛡️ Blog: How Composer's download fallback behavior can silently override security decisions at the repository side, and what we are doing about it.
If Private Packagist refuses to serve a malware-flagged version, Composer can fall back to the original GitHub URL, or even clone from source. Two new Private Packagist options close both fallback paths, regardless of the Composer version your developers and CI happen to be running.
https://blog.packagist.com/closing-composers-download-fallback-paths-in-private-packagist/
#php #phpc #composerphp
Closing Composer's Download Fallback Paths in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer's

Private Packagist
Jordi BoggianoMay 28

📦 Composer 2.10 is out today.

Native malware filtering, powered by an Aikido feed and enabled by default for everyone installing from Packagist. The new unified config.policy framework consolidates handling of malware, security advisories, and abandoned packages, and also lets organizations plug in their own custom policies.
Source fallback is now deprecated, and there's wildcard support in composer update --with.

https://blog.packagist.com/composer-2-10-release/

#php #phpc #composerphp

Composer 2.10 Release

We are excited to announce the release of Composer 2.10.0, introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of security advisories, abandoned packages, and now malware. Fast detection of malware for packages published on Packagist.org is provided by Aikido. This

Private Packagist
packagistMay 27

🔒 An update on Composer & Packagist supply chain security:

Covering what's in place today, what ships this week with Composer 2.10 (dependency policies, stable version immutability), what's coming next (mandatory MFA, minimum-release-age policy, organizational package ownership), and the long-term direction toward immutable artifacts with SLSA provenance and sigstore attestations.

If you maintain PHP packages, please enable MFA now.

https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
#php #phpc #composerphp

An Update on Composer & Packagist Supply Chain Security

The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had

Private Packagist
Show threadgithub.com/ghostwriterMay 25

Running #Composer with `--no-plugins --no-scripts` is not "safe enough" against compromised tag re-targeting.

A malicious update could introduce an "autoload.files" entry in composer.json,

allowing malicious code to be automatically executed.

https://github.com/composer/composer/issues/12879

#PHP #ComposerPHP

Support semantic version constraints with immutable commit pinning · Issue #12879 · composer/composer

Is your feature request related to a problem? Please describe. Composer currently supports commit pinning only for development branches, for example: "vendor/package": "dev-main#a1b2c3d4" However, ...

GitHub
github.com/ghostwriterMay 25

#Composer currently supports locking a branch to a specific commit:

`dev-main#a1b2c3d4`

However, it does not support combining a semantic version constraint with a specific immutable commit SHA:

`^1.2.3#a1b2c3d4`

Would Composer consider adding support for dependency constraints that combine a semantic version with an immutable commit SHA?

- Protect users from malicious/compromised tag re-targeting

- Ensure a tagged release resolves to an expected immutable commit or fail

#PHP #ComposerPHP

Jordi BoggianoMay 20
It took us a bit longer than expected but after over a month of discussions and rewrites, Composer 2.10 RC2 is now available for testing with a new policy config and detected malware now blocked by default on install. https://github.com/composer/composer/releases/tag/2.10.0-RC2 #composerphp #phpc
Release 2.10.0-RC2 · composer/composer

Composer 2.10 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.10.0-RC2 Running comp...

GitHub
packagistMay 20

RE: https://phpc.social/@packagist/116566852406125489

If you haven't updated Composer to 2.9.8 or 2.2.28 (LTS), do so urgently! GitHub will restart the rollout of their new GitHub Actions tokens later today. They've improved secret masking to cover this Composer issue, but you're safer if you update. #composerphp #php #phpc

grasteMay 18

#composerphp malware handling improvements upcoming in Composer v2.10

https://glaubinix.github.io/talks/2026-05-15-Composer-2-10-Malware-Filtering.html

#slides #php

Composer Says No