New release of https://github.com/joachim-n/drupal-core-development-project, the Composer template for working on #Drupal core issues. Thanks to @rkoller and rfay for their help! #ComposerPHP
#ComposerPHP
How do users report a composer package that is distributing a Remote Access Trojan (RAT) on packagist for removal/warning?
eg.
https://intel.aikido.dev/packages/packagist/nhattuanbl/lara-helper
https://packagist.org/packages/nhattuanbl/lara-helper
Payload: https://gitlab.com/nhattuanbl/lara-helper/-/blob/master/src/helper.php
Loved the very engaged audience of a thousand people at #LaraconEU 2026 in Amsterdam today at my "Composer Deep Dive" talk! Proud to sponsor the event with Private Packagist / @packagist - Find me and chat about package management or @thephpf ! Slides: https://naderman.de/slippy/slides/2026-03-02-Laracon-EU-2026-Composer-Deep-Dive.pdf #laravel #laracon #php #composerphp
Just arrived in Amsterdam for #LaraconEU - my talk "Composer Deep Dive" is tomorrow afternoon at 2:30pm! Hope to talk to as many of you about #composerphp @packagist and @thephpf! #laravel #php #laracon
Excited to speak at #symfony user group Berlin tonight! #sfugberlin #composerphp
🚀 Private Packagist February update: Redesigned login flow, team member MFA resets for org owners, new Microsoft Teams Workflow notifications (old connectors deprecated), clickable composer search URLs in your terminal https://blog.packagist.com/whats-new-in-private-packagist-february-2026-update/ #composerphp #php #phpc
RE: https://phpc.social/@phpc_tv/115913656275791585
@phpc_tv wow so many vids in there! Awesome!
Back from our annual #SymfonyCon trip! Great experience celebrating 20 years of #Symfony with its community in Amsterdam. The @packagist booth was busy with discussions throughout the event, and my package manager security outlook talk sparked good conversations. See you in Warsaw 2026!
Projects using #composerphp "autoload-files" in their composer.json will see some speedup when analzed with #phpstan, starting with the next phpstan release.
New in Private Packagist: Usage Tracking can now help prioritize security updates by showing how dependencies cascade through projects and where vulnerable versions are used. Trusted Publishing for GitHub Actions and better synchronization setup. https://blog.packagist.com/whats-new-in-private-packagist-november-update/ #php #phpc #composerphp
After Composer 2.9 CLI security improvements, we're working on a transparency log for Packagist org to strengthen PHP supply chain security, funded by the Sovereign Tech Agency with help of the PHP Foundation and Private Packagist. #php #phpc #composerphp
More detail about what we're working on can be viewed on our blog at https://blog.packagist.com/strengthening-php-supply-chain-security-with-a-transparency-log-for-packagist-org/
Composer 2.9 is here! 🚀 It automatically blocks packages with known vulnerabilities, has a new repository command to manage repos from the CLI, and lots more!
Read the full announcement: https://blog.packagist.com/composer-2-9/
#composerphp #phpc #PHP
Composer 2.9 is coming, and there's an RC to try out! We need your help and feedback https://github.com/composer/composer/releases/tag/2.9.0-RC1 #composerphp #phpc
Bitbucket Cloud is retiring app passwords in favor of API tokens. If you're using Private Packagist with Bitbucket Cloud, migrate now to avoid future disruptions.
This blog post explains it step-by-step: https://blog.packagist.com/bitbucket-deprecated-app-passwords/
Caching in CI/CD sollte eingesetzt werden, wann immer es geht.
Das hilft nicht nur, die Infrastrukturkosten niedrig zu halten, sondern verkürzt auch eigenen Build-Zeiten mitunter erheblich.
Für GitHub-/Gitea-kompatible Workflows gibt es actions/cache, welches trivial einzurichten ist.
https://blog.packagist.com/a-call-for-sustainable-open-source-infrastructure/
https://github.com/actions/cache
https://github.com/actions/cache/blob/main/examples.md#php---composer
Together with PyPI, Maven Central, crates.io and other major package registries we signed a statement on sustainable open source infrastructure.
3B+ installs/month and evolving #composerphp and packagist.org requires sharing the costs.
Our Blog: https://blog.packagist.com/a-call-for-sustainable-open-source-infrastructure/
Open Letter: https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
🚨 Warning to PHP package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us. #phpc #composerphp
🚨 PSA for #PHP package maintainers: DO NOT REPLACE tags! If you messed up a release simply do another. No matter how quickly you notice a mistake, automatic tools already pulled the original tag, triggered automatic updates. Users will never know you recreated the tag and use the broken state. #phpc #composerphp
Had a great time presenting Composer Best Practices for 2025 at #APIPlatformCon in Lille this morning. Meet me at our booth, I'd love to hear all about how you work with #composerphp! Slides at https://naderman.de/slippy/slides/2025-09-18-API-Platform-Con-Composer-Best-Practices-2025.pdf
Would you like to attend #APIPlatformCon 2025 in Lille, France on September 18th & 19th or watch online? Private Packagist is sponsoring the event, and we have 4 tickets to give away! If you are part of a group, that is underrepresented at typical tech conferences, or can't afford a ticket, boost this post and comment with your favorite PHP package(s) - We'll pick a winner by the end of the week! #php #composerphp #phpc
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst