An Update on Composer and Packagist Supply Chain Security
Seldaek
21 points
2 comments
May 27, 2026
Related Discussions
Found 5 related stories in 102.1ms across 8,637 title embeddings via pgvector HNSW
- Composer leaks contents of tokens configured as GitHub OAuth tokens damienwebdev · 62 pts · May 13, 2026 · 57% similar
- Composer 2.5 meetpateltech · 18 pts · May 18, 2026 · 54% similar
- Supply-chain attack using invisible code hits GitHub and other repositories tannhaeuser · 14 pts · March 15, 2026 · 53% similar
- Postmortem: TanStack npm supply-chain compromise varunsharma07 · 705 pts · May 11, 2026 · 53% similar
- Mass NPM Supply Chain Attack Hits TanStack, Mistral AI, and 170 Packages birdculture · 18 pts · May 12, 2026 · 53% similar
Discussion Highlights (2 comments)
moebrowne
I appreciate Composers slower but deliberate, well thought out approach to supply chain attack mitigations.
captn3m0
I arrived at a similar model for NPM using hooks in pnpm: https://github.com/captn3m0/npm-sec-feed . I love the work Packagist/Composer is doing in the space. I’m now a firm believer that every package manager needs to support hooks globally. Composer also supports conflicts which results in this amazing approach of having a meta-package conflict with insecure packages: https://github.com/Roave/SecurityAdvisories . Can’t happen in Node, sadly because of language differences.