Mastodawn

🔒 An update on Composer & Packagist supply chain security:

Covering what's in place today, what ships this week with Composer 2.10 (dependency policies, stable version immutability), what's coming next (mandatory MFA, minimum-release-age policy, organizational package ownership), and the long-term direction toward immutable artifacts with SLSA provenance and sigstore attestations.

If you maintain PHP packages, please enable MFA now.

https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
#php #phpc #composerphp

An Update on Composer & Packagist Supply Chain Security

The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had

Private Packagist

Show thread

graste 6d ago

@packagist Thank you for your work! Good changes on so many levels. Organisation accounts. Yeah.

Btw I'm also happily looking forward to the smaller things like not falling back to source downloads as I just today noticed larger images being built despite --prefer-dist being used and the culprit was the GitHub oauth token expiry that didn't fail the composer install in the docker build. Silly me. :-)

Show thread

Stefan Zweifel 6d ago

@packagist Thank you for clearly communicating what you’re working on and have planned. And actually shipping stuff fast.

Something clearly missing on other eco-system.