The last weeks have been busy: Here are my slides on Composer & Packagist Supply Chain Security in 2026 from #PHPVerse last week: https://naderman.de/slippy/slides/2026-06-09-PHPVerse-Composer-and-Packagist-Supply-Chain-Security-in-2026.pdf
Thank you to @jetbrains for organizing a fantastic online event with thousands of simultaneous live viewers again! Video recordings will be published soon as well!
Follow https://blog.packagist.com for updates on supply chain security.
🧩 Composer plugins are powerful, but execute code during install & update. Composer prompts to allow a plugin, but a distracted "yes" or an AI agent on autopilot is all it takes. Private Packagist now has org-level allowlists for plugins.
https://blog.packagist.com/restricting-composer-plugins-across-your-organization/
#php #phpc #composerphp
This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, blocking malware downloads for every Composer version, and enforcing a safe Composer version across your organization. Composer plugins are a powerful extension
RE: https://phpc.social/@brendt/116719832760676261
Live now, free online conference #PHPVerse2026! Join us now!
The Composer CLI is part of your supply chain. Older versions miss the protections shipped in 2.10 (dependency policies, malware feed integration, source fallback off by default) and carry known client-side CVEs.
Private Packagist customers can now enforce which Composer client versions are allowed to talk to their Composer repository, with a clear upgrade message shown in the developer's terminal when an outdated client tries to connect.
https://blog.packagist.com/enforce-a-safe-composer-version-across-your-organization/
#php #phpc #composerphp
This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, and blocking malware downloads for every Composer version. While the protections we have shipped try their best to cover older Composer versions too,
⛔ Composer dependency policies block flagged malware by default, but only on 2.10. A project disabling the policy, or a CI image running Composer 2.4, still installs flagged versions normally until we can manually pull it from Packagist.
Private Packagist now refuses to serve dist files for malware-flagged versions at the repository level, regardless of the Composer version requesting them. Enabled by default for new and existing organizations.
This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, and the recent post on closing Composer's download fallback paths. Composer 2.10's dependency policy framework is a substantial step forward for PHP supply chain security. It removes
This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer's
PHP doesn't have an image problem in 2026. It has a tutorial problem.
Too many "learn PHP" articles still teach PHP 5.6 and PHP 7.x patterns while modern PHP has evolved dramatically.
Today’s PHP means:
Strict Types
Enums
Attributes
Readonly Classes
Property Hooks
Dependency Injection
Composer
Modern Testing
If your tutorial still uses mysql_*, no namespaces, and no Composer, you're learning PHP history—not modern PHP.
The PHP ecosystem deserves more up-to-date educational content.
The PHP Foundation
Nils Adermann
packagist
Sushil Kumar