Mastodawn

Back from our annual #SymfonyCon trip! Great experience celebrating 20 years of #Symfony with its community in Amsterdam. The @packagist booth was busy with discussions throughout the event, and my package manager security outlook talk sparked good conversations. See you in Warsaw 2026!

Slides: https://naderman.de/slippy/slides/2025-11-28-SymfonyCon-Amsterdam-2025-Package-Manager-Security-in-2025-Whats-Next.pdf

#php #composerphp

markus staab Nov 27

Projects using #composerphp "autoload-files" in their composer.json will see some speedup when analzed with #phpstan, starting with the next phpstan release.

packagist Nov 18

New in Private Packagist: Usage Tracking can now help prioritize security updates by showing how dependencies cascade through projects and where vulnerable versions are used. Trusted Publishing for GitHub Actions and better synchronization setup. https://blog.packagist.com/whats-new-in-private-packagist-november-update/ #php #phpc #composerphp

What’s New in Private Packagist, November Update

We've shipped several important updates to Private Packagist over the past three months, including more insights on the package usage tracking page, the introduction of Trusted Publishing for secure artifact deployment, and enhanced security and audit controls. Here are the highlights from our latest round of product improvements. More Package

Private Packagist

packagist Nov 14

After Composer 2.9 CLI security improvements, we're working on a transparency log for Packagist org to strengthen PHP supply chain security, funded by the Sovereign Tech Agency with help of the PHP Foundation and Private Packagist. #php #phpc #composerphp

More detail about what we're working on can be viewed on our blog at https://blog.packagist.com/strengthening-php-supply-chain-security-with-a-transparency-log-for-packagist-org/

Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org

The release of Composer 2.9 this week introduced new security features on the Composer CLI client, which were funded by Private Packagist through service subscriptions. But in parallel, we are working on security on the main PHP package repository at Packagist.org with additional funding from the Sovereign Tech

Private Packagist

Jordi Boggiano Nov 13

Composer 2.9 is here! 🚀 It automatically blocks packages with known vulnerabilities, has a new repository command to manage repos from the CLI, and lots more!

Read the full announcement: https://blog.packagist.com/composer-2-9/
#composerphp #phpc #PHP

Composer 2.9 Release

We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating

Private Packagist

Jordi Boggiano Nov 7

Composer 2.9 is coming, and there's an RC to try out! We need your help and feedback https://github.com/composer/composer/releases/tag/2.9.0-RC1 #composerphp #phpc

Release 2.9.0-RC1 · composer/composer

Composer 2.9 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.9.0-RC1 Running compos...

GitHub

packagist Sep 26

Bitbucket Cloud is retiring app passwords in favor of API tokens. If you're using Private Packagist with Bitbucket Cloud, migrate now to avoid future disruptions.

This blog post explains it step-by-step: https://blog.packagist.com/bitbucket-deprecated-app-passwords/

#php #composerphp #phpc #privatepackagist #bitbucket

Bitbucket deprecated App Passwords

Bitbucket announced that they deprecated app passwords in favor of their new API token system. This change affects organizations using Private Packagist with Bitbucket Cloud (bitbucket.org) workspace synchronizations. Bitbucket app passwords will stop working entirely on June 9th, 2026. Bitbucket's app passwords provided limited functionality and security features. API

Private Packagist

Marcus Jaschen Sep 24

Caching in CI/CD sollte eingesetzt werden, wann immer es geht.

Das hilft nicht nur, die Infrastrukturkosten niedrig zu halten, sondern verkürzt auch eigenen Build-Zeiten mitunter erheblich.

Für GitHub-/Gitea-kompatible Workflows gibt es actions/cache, welches trivial einzurichten ist.

https://blog.packagist.com/a-call-for-sustainable-open-source-infrastructure/

https://github.com/actions/cache

https://github.com/actions/cache/blob/main/examples.md#php---composer

#ComposerPHP

A Call for Sustainable Open Source Infrastructure

Today, we joined other major package registries in signing an important joint statement on sustainable stewardship of open source infrastructure. Together with Maven Central, PyPI, crates.io, Open VSX, OpenJS Foundation, OpenSSF and Alpha-Omega, we're addressing a critical challenge: the growing gap between infrastructure usage and support. The Reality We

Private Packagist

packagist Sep 23

Together with PyPI, Maven Central, crates.io and other major package registries we signed a statement on sustainable open source infrastructure.

3B+ installs/month and evolving #composerphp and packagist.org requires sharing the costs.

Our Blog: https://blog.packagist.com/a-call-for-sustainable-open-source-infrastructure/
Open Letter: https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/

#phpc #php #supplychainsecurity #opensourcesustainability

A Call for Sustainable Open Source Infrastructure

Private Packagist

packagist Sep 20

🚨 Warning to PHP package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us. #phpc #composerphp