⚠️ Fake #Laravel packages on #Packagist deploy a cross-platform #RAT on Windows, macOS & Linux — researchers at Socket flagged 3 malicious #PHP packages disguised as Laravel utilities #cybersecurity #supplychain #opensource #infosec

📦 Malicious packages identified:
• nhattuanbl/lara-helper (37 downloads)
• nhattuanbl/simple-queue (29 downloads)
• nhattuanbl/lara-swagger (49 downloads)

🧵 👇

I finally solved my Composer hanging/stuck issue 🚀
Set up a local proxy server and routed downloads using PHP stream functions.

Added real-time debugging with log files to trace where it was freezing.

Result: smooth installs, zero guesswork 😌

#PHP #composer #packagist #proxy

The other night I made this little #PHP tool that validates #PHPDoc annotations against the actual method signature, to make sure that they are compatible and don't drift apart over time.

I use it as a quick check before running #PHPStan to make sure that the static analysis is correctly informed. Published it on #Packagist in case anyone else would find it useful too: https://packagist.org/packages/nsrosenqvist/phpdoc-validator

Note for our PHP users: We've upgraded Composer to the latest version, but we've disabled the vulnerability check for now. This is probably an edge case of an edge case, as we do actively track PHP package vulns, but keeping the check in there would lead to a heap of pain for us.

Of course, let us know if you see a package updated to a known vulnerable version, that should definitely not happen.

#PHP #Composer #Packagist

RE: https://infosec.exchange/@art4/115747129017446982

Just in time for the end of 2025 (at least in my time zone), I released version 1.0.0 of my new #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist:

https://packagist.org/packages/art4/rector-bc-library

Happy new year! 🥳

I'm currently working on a #RectorExtension that replaces the native type declaration set. The special thing about it: no breaking changes!

This means: no changes to parameter types or return types if your class/method is not private or final. This is particularly important for library maintainers who want to use #Rector but don't want to have any breaking changes.

If you are a maintainer of a #PHP library and #backwardcompatibility is important to you, then check it out on #packagist: https://packagist.org/packages/art4/rector-bc-library

And feel free to give me feedback.

How to use local packages in Composer: a guide for PHP developers

When working on a PHP project, it’s common to rely on external libraries published on Packagist. Composer makes installing and managing these dependencies effortless. But what if you need to work with a dependency locally, outside Packagist?

https://dev.to/robertobutti/how-to-use-local-packages-in-composer-a-guide-for-php-developers-h89

#php #packagist #composer #opensource

Version 7.2.0 of #bm_image_gallery is released. Available at #ter and #packagist.

You can find the changelog in the docs or at https://github.com/freshworkx/typo3-image-gallery/releases/tag/v7.2.0.

Have fun with site sets and PSR-14 events. Happy updating! #TYPO3 #gallery #extension

Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org. #PHP #packagist

http://packagist.org/?utm_source=flipboard&utm_medium=activitypub

Posted into SYMFONY FOR THE DEVIL @symfony-for-the-devil-mobileatom