Private Packagist

What’s New in Private Packagist, November Update

We've shipped several important updates to Private Packagist over the past three months, including more insights on the package usage tracking page, the introduction of Trusted Publishing for secure artifact deployment, and enhanced security and audit controls. Here are the highlights from our latest round of product improvements.

opensource

Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org

The release of Composer 2.9 this week introduced new security features on the Composer CLI client, which were funded by Private Packagist through service subscriptions. But in parallel, we are working on security on the main PHP package repository at Packagist.org with additional funding from the Sovereign Tech

composer

Composer 2.9 Release

We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating

Private Packagist

Bitbucket deprecated App Passwords

Bitbucket announced that they deprecated app passwords in favor of their new API token system. This change affects organizations using Private Packagist with Bitbucket Cloud (bitbucket.org) workspace synchronizations. Bitbucket app passwords will stop working entirely on June 9th, 2026. Bitbucket's app passwords provided limited functionality and security

opensource

A Call for Sustainable Open Source Infrastructure

Today, we joined other major package registries in signing an important joint statement on sustainable stewardship of open source infrastructure. Together with Maven Central, PyPI, crates.io, Open VSX, OpenJS Foundation, OpenSSF and Alpha-Omega, we're addressing a critical challenge: the growing gap between infrastructure usage and support. The

changelog

What’s New in Private Packagist, August Update

We've been busy improving Private Packagist over the past few months with a focus on package discovery, user experience improvements, and improved security monitoring tools. Here are the most significant updates that will make your daily workflow smoother and more secure. Better Package Discovery and Management We'

Private Packagist

Working with Amasty's new Project-Based Access Keys

Amasty recently announced that starting January 1, 2026, they will be discontinuing global Composer access keys generated in the "Products" tab of customer accounts. Instead, they're moving to project-specific access keys that provide better security and cleaner dependency management by tying Composer access directly to individual

composer

Packagist.org shutdown of Composer 1.x support postponed to September 1st, 2025

With the deadline drawing near, we’d like to remind you that we are discontinuing Composer 1.x support on Packagist.org soon. We're extending our original timeline by one month to give teams additional preparation time to migrate. Composer 1.x metadata access will now shut down

changelog

What’s New in Private Packagist, May Update

Private Packagist has been evolving steadily over the past three months with a focus on API improvements, enhanced security, and refined user experience. Let's dive into the significant updates that have been introduced since February. API Improvements Our API credentials have undergone a comprehensive overhaul, with the standout

changelog

What’s New in Private Packagist, February Update

While we’re also putting the final touches on Conductor, our team has shipped regular updates and improvements to Private Packagist. We’ll share some significant changes we've made to Private Packagist over the past few months. Support for PIE We've introduced support for php-ext metadata,

opensource

The Reality of Funding Open Source

As the founder of Packagist Conductors, a small company with just eight employees, I've had a front-row seat to one of the most pressing challenges in software development today: sustainable open source funding. We found our own way to fund a major open source project, and managed to

security

Discover Security Advisories with Composer’s audit command

Did you know that October is Cyber Security Awareness month, and that this year already marks its 21st anniversary? This collaborative effort between government and industry aims to raise awareness of online risks and to share important safety tips. These campaigns focus on basic best practices, such as protecting your

opensource

Private Packagist is joining the Open Source Pledge

We're joining the Open Source Pledge because our business is built on and with open-source software. We will spend at least $2,000 per full-time developer on open-source projects and maintainers. Sentry launched this initiative after a $500,000 distribution across their open-source dependencies, and others followed. Sustainability

composer

Shutting down Packagist.org support for Composer 1.x

Composer 1.x has served the PHP community well, but with Composer 2.0 released four years ago in October 2020, it's time to move forward. As of today, more than 95% of Composer updates are using v2, benefiting from its significant improvements in performance, memory usage, and

composer

Composer 2.7.7 & Security Audit by Cure53 funded by Alpha-Omega

Today we’re releasing Composer 2.7.7 (PHP 7.2+) and 2.2.24 (LTS for use on PHP 5.3 to 7.1) to address two security vulnerabilities as well as a number of smaller security hardening measures, please update to the new versions immediately (e.g. with

composer

Composer 2.7 and CVE-2024-24821: Code execution and possible privilege escalation

Please immediately update Composer to version 2.7.0 or 2.2.23 (composer.phar self-update). The new releases includes fixes for a code execution and possible privilege escalation via InstalledVersions.php or installed.php vulnerability (CVE-2024-24821) reported by Ed Cradock. The vulnerability does not impact packagist.org and Private

security

Packagist.org maintainer account takeover

What happened? On May 1st, 2023 between 3:08pm UTC and 4:05pm UTC an attacker accessed four user accounts that had been inactive on Packagist.org for a period of time but still had access to a total of 14 packages. The attacker forked each of the packages and

composer

Composer 2.4 Release

Auditing dependencies for known security vulnerabilities Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring [https://blog.packagist.com/security-monitoring/] to notify customers

security

CVE-2022-24828: Composer Command Injection Vulnerability

Please immediately update Composer to version 2.3.5, 2.2.12, or 1.10.26 (composer.phar self-update). The new releases include fixes for a command injection security vulnerability (CVE-2022-24828) reported by Thomas Chauchefoin from SonarSource. Fixes for Packagist.org and Private Packagist were deployed within 24 hours of

composer

Composer 2.3 Release

Modernizing Composer internals As announced in the 2.2 release notes, Composer 2.3 increases the required PHP version to >=7.2.5 and thus stops supporting PHP 5.3.2 - 7.2.4. The 2.2 LTS is still there for users stuck on older PHP versions.

composer

Composer 2.2 Release

LTS / Long Term Support The 2.2 minor release is an LTS (Long Term Support) release. We will provide bugfixes for critical bugs and security issues until at least the end of 2023, and will then reassess based on remaining usage. The reason we are doing this is that after

Private Packagist

Introducing: Update Review

As of today, when you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table. This feature is immediately available to all our customers at no additional cost. We love it! With the Private Packagist Update

Sunsetting the PHP Version Stats Blog Series

Back in 2014 (a long time ago! PHP 5.6 was just released) I figured I actually had access to some interesting information on PHP usage in the Packagist.org logs. I wrote some shell commands to extract it and wrote the first blog post of the series [https://seld.

PHP Versions Stats - 2021.1 Edition

See 2014 [https://seld.be/notes/my-view-of-php-version-adoption], 2015 [https://seld.be/notes/php-versions-stats-2015-edition], 2016.1 [https://seld.be/notes/php-versions-stats-2016-1-edition], 2016.2 [https://seld.be/notes/php-versions-stats-2016-2-edition], 2017.1 [https://seld.be/notes/php-versions-stats-2017-1-edition], 2017.2 [https://seld.be/notes/php-versions-stats-2017-2-edition], 2018.1 [https://seld.be/notes/php-versions-stats-2018-1-edition], 2018.2

security

Composer Command Injection Vulnerability

Please immediately update Composer to version 2.0.13 [https://github.com/composer/composer/releases/tag/2.0.13] or 1.10.22 [https://github.com/composer/composer/releases/tag/1.10.22] (composer.phar self-update). The new releases include fixes for a command injection security vulnerability [https://github.com/