🚨 Composer 2.9.6 and 2.2.27 are out with fixes for CVE-2026-40261 and CVE-2026-40176, both command injection issues in the Perforce driver. Run composer self-update now. No exploitation detected on Packagist.org and Private Packagist. Details on our blog:
https://blog.packagist.com/composer-2-9-6-perforce-driver-command-injection-vulnerabilities/ #php #phpc #composerphp
Composer 2.9.6: Perforce Driver Command Injection Vulnerabilities (CVE-2026-40261, CVE-2026-40176)
Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.
To the best
We need your help to test Composer 2.10. Expect a final release next week, now is the time to try it out and flag any issue you find!
https://github.com/composer/composer/releases/tag/2.10.0-RC1 #composerphp #phpc
Release 2.10.0-RC1 · composer/composer
Composer 2.10 is ready for a release, and we need your help to test it and report any regression.
Please try it out!
Running composer self-update --preview will get you the 2.10.0-RC1
Running comp...
Private Packagist is a member of the
@opensourcepledge & gave over $4k/FTE in 2025 to
#opensource maintainers. Have your company join too!
https://blog.packagist.com/private-packagist-2025-contributions-for-the-open-source-pledge/ - Reach out if you want to be a launch partner for our Composer&Packagist.org sponsorship program!
#composerphp #php #phpc
Private Packagist 2025 contributions for the Open Source Pledge
This is now our third year as a member of the Open Source Pledge. Private Packagist subscriptions help fund not only the development of Composer and Packagist.org, but also the open source dependencies we rely on to build and run our commercial product. In 2025, we contributed a total
New release of
https://github.com/joachim-n/drupal-core-development-project, the Composer template for working on
#Drupal core issues. Thanks to
@rkoller and rfay for their help!
#ComposerPHPnhattuanbl/lara-helper - Packagist package security analysis
Just some helper functions & commands for Laravel Latest: 5.5.1. No known vulnerabilities.
Loved the very engaged audience of a thousand people at
#LaraconEU 2026 in Amsterdam today at my "Composer Deep Dive" talk! Proud to sponsor the event with Private Packagist /
@packagist - Find me and chat about package management or
@thephpf ! Slides:
https://naderman.de/slippy/slides/2026-03-02-Laracon-EU-2026-Composer-Deep-Dive.pdf #laravel #laracon #php #composerphpJust arrived in Amsterdam for
#LaraconEU - my talk "Composer Deep Dive" is tomorrow afternoon at 2:30pm! Hope to talk to as many of you about
#composerphp @packagist and
@thephpf!
#laravel #php #laraconExcited to speak at
#symfony user group Berlin tonight!
#sfugberlin #composerphp🚀 Private Packagist February update: Redesigned login flow, team member MFA resets for org owners, new Microsoft Teams Workflow notifications (old connectors deprecated), clickable composer search URLs in your terminal
https://blog.packagist.com/whats-new-in-private-packagist-february-2026-update/ #composerphp #php #phpc
What's New in Private Packagist, February 2026 Update
Private Packagist has continued to evolve over the past three months with significant improvements to authentication flows, security hardening, and notification capabilities. Here are the highlights from our latest round of product improvements.
Redesigned Login and Registration Flow
We've completely reworked the authentication experience to make login and registration more
packagist
Jordi Boggiano
joachim
github.com/ghostwriter
Nils Adermann
panigrc