Jordi Boggiano
@seld.be
📤 352
📥 128
📝 14
Co-Founder of
@packagist.com
– Dev at teamup.com –
#ComposerPHP
lead – Wandering Belgian aka Seldaek
reposted by
Jordi Boggiano
Packagist
4 days ago
📌 Stable versions on Packagist are now immutable. Once published, the commit a version points to can no longer change. Retags are blocked, and deleted versions are tracked with a reason and recoverable.
blog.packagist.com/immutable-v...
#php
#phpc
#composerphp
0
11
10
reposted by
Jordi Boggiano
Josh Bressers
19 days ago
I had a chat with Jordi Boggiano from Packagist about a heap of security features they recently added and adding in the future The security of the public package repositories is a hot topic right now, Packagist is doing some really interesting things to improve their security
loading . . .
Packagist and Composer security with Jordi Boggiano
Josh welcomes Jordi Boggiano the lead maintainer of Composer and Packagist to explain the truckload of security features they’ve recently added. Packagist is the PHP package registry, Composer is the ...
https://opensourcesecurity.io/2026/2026-06-packagist-security-jordi/
0
4
5
reposted by
Jordi Boggiano
Nils Adermann
25 days ago
Busy times: Here are my slides on Composer & Packagist Supply Chain Security from
#PHPVerse
:
naderman.de/slippy/slide...
Thanks
@jetbrains.com
for a great online event! Videos soon! Follow
blog.packagist.com
for updates.
#php
#phpc
#composerphp
#supplychainsecurity
loading . . .
https://naderman.de/slippy/slides/2026-06-09-PHPVerse-Composer-and-Packagist-Supply-Chain-Security-in-2026.pdf
0
5
4
reposted by
Jordi Boggiano
Packagist
29 days ago
🧩 Composer plugins are powerful, but execute code during install & update. Composer prompts to allow a plugin, but a distracted "yes" or an AI agent on autopilot is all it takes. Private Packagist now has org-level allowlists for plugins.
blog.packagist.com/restricting-...
#php
#phpc
#composerphp
loading . . .
Restricting Composer plugins across your organization
This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, blocking malware downloads...
https://blog.packagist.com/restricting-composer-plugins-across-your-organization/
1
4
3
reposted by
Jordi Boggiano
Packagist
about 1 month ago
The Composer CLI is part of your supply chain. Older versions miss the protections from 2.10 and have known CVEs of their own. Private Packagist customers can now enforce which Composer versions are allowed to use their repository.
blog.packagist.com/enforce-a-sa...
#php
#phpc
#composerphp
loading . . .
Enforce a Safe Composer Version Across Your Organization
This is the next post in our supply chain security series, following the supply chain security update, the Composer 2.10 release, closing Composer's download fallback paths, and blocking malware downl...
https://blog.packagist.com/enforce-a-safe-composer-version-across-your-organization/
0
6
5
Ever found yourself accidentally merging changes to the public API of a PHP package and regretting it later? I made a GitHub Action to help prevent that.
seld.be/notes/surfac...
loading . . .
Making public API surfaces changes more visible in open source libraries | Jordi's Ramblings
...
https://seld.be/notes/surfacing-public-api-changes/
about 1 month ago
0
0
2
reposted by
Jordi Boggiano
Packagist
about 1 month ago
🛡️ Composer's download fallback behavior can silently override security decisions at the repository side, falling back from a blocked Private Packagist URL to GitHub or a source clone. Two new Private Packagist options close it off.
blog.packagist.com/closing-comp...
#php
#phpc
#composerphp
0
3
5
I realized I was never going to get to adding zizmor to all my repos so I made a claude skill to let it do the grunt work. You can use it too, if it helps more busy/lazy people to secure their GitHub repos I am glad! See
github.com/Seldaek/zizm...
add a skeleton here at some point
about 1 month ago
0
2
1
📦 Composer 2.10 is out. Native malware filtering via
@aikidosecurity.bsky.social
(enabled by default on Packagist), a unified config.policy framework for advisories/abandoned/malware, and source fallback now deprecated.
blog.packagist.com/composer-2-1...
#php
#phpc
#composerphp
loading . . .
Composer 2.10 Release
We are excited to announce the release of Composer 2.10.0, introducing native malware filtering and consolidated future-proof customizable dependency policy configuration to control the handling of se...
https://blog.packagist.com/composer-2-10-release/
about 1 month ago
0
17
11
reposted by
Jordi Boggiano
Packagist
about 1 month ago
🔒 An update on Composer & Packagist supply chain security: where we stand, what ships this week with Composer 2.10, what's next. If you maintain PHP packages, enable MFA now.
blog.packagist.com/an-update-on...
#php
#phpc
#composerphp
#supplychainsecurity
loading . . .
An Update on Composer & Packagist Supply Chain Security
The last months, and even more so the last weeks, saw an increasing amount of software supply chain attacks targeting open-source ecosystems. A handful of these have hit the PHP ecosystem too, via tak...
https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
1
9
13
It took us a bit longer than expected but after over a month of discussions and rewrites, Composer 2.10 RC2 is now available for testing with a new policy config and detected malware now blocked by default on install.
github.com/composer/com...
#composerphp
#phpc
loading . . .
Release 2.10.0-RC2 · composer/composer
Composer 2.10 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.10.0-RC2 Running comp...
https://github.com/composer/composer/releases/tag/2.10.0-RC2
about 2 months ago
0
7
6
reposted by
Jordi Boggiano
Packagist
about 2 months ago
We recommend you change the default permissions for GitHub Actions GITHUB_TOKENs to read only. Explicitly grant elevated permissions only where strictly necessary. Use zizmor to analyze your GitHub Actions:
github.com/zizmorcore/z...
see also:
phpunit.expert/articles/har...
0
4
6
reposted by
Jordi Boggiano
Packagist
about 2 months ago
If you haven't updated Composer to 2.9.8 or 2.2.28 (LTS), do so urgently! GitHub will restart the rollout of their new GitHub Actions tokens later today. They've improved secret masking to cover this Composer issue, but you're safer if you update.
#composerphp
#php
#phpc
add a skeleton here at some point
1
6
9
reposted by
Jordi Boggiano
Packagist
about 2 months ago
Three-month Private Packagist recap: malware filter list support is already in place, ahead of Composer 2.10's release next week. Plus a new permissions tab, better job visibility, and narrower GitLab OAuth scopes.
blog.packagist.com/whats-new-in...
#php
#phpc
#composerphp
loading . . .
What's New in Private Packagist, May 2026 Update
Over the past three months, we've shipped updates focused on security, integrations with code hosting platforms, and usability improvements throughout Private Packagist. Here's a rundown of the most n...
https://blog.packagist.com/whats-new-in-private-packagist-may-2026-update/
0
3
4
reposted by
Jordi Boggiano
Packagist
about 2 months ago
UPDATE: GitHub has rolled back their change to GitHub Actions tokens, no longer necessary to immediately disable GitHub Actions. We now have a few days to get the PHP ecosystem updated to safe Composer versions, before a new rollout of the new token format is attempted.
#php
#composerphp
#phpc
0
2
2
reposted by
Jordi Boggiano
Packagist
about 2 months ago
🚨 Security advisory: Composer 2.9.8 and 2.2.28 fix a vulnerability leaking GitHub Actions GITHUB_TOKENs to job logs via error messages. Update now or disable affected workflows.
blog.packagist.com/composer-2-9...
#composerphp
#phpc
#php
loading . . .
Composer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages
Please immediately update Composer to version 2.9.8 or 2.2.28 (LTS) by running composer.phar self-update. The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions ...
https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/
1
7
9
reposted by
Jordi Boggiano
Nils Adermann
2 months ago
Packagist needs to finance staff, not just hardware and bandwidth. Contact me if your company's interested in joining our sponsorship program for its launch this month while we work on long term solutions.
0
2
5
reposted by
Jordi Boggiano
Nils Adermann
2 months ago
Open infrastructure isn't free. 🌱 Packagist/Composer signed a joint
@openssf.org
letter with PyPI, crates, Maven, CPAN, etc on real cost of running package registries.
#php
#phpc
#composerphp
#softwaresupplychain
#PreserveOpenSource
#FreeSoftwareIsntFree
#OpenSource
#Sustainability
add a skeleton here at some point
1
11
9
reposted by
Jordi Boggiano
Packagist
3 months ago
🚨 Composer 2.9.6 and 2.2.27 are out with fixes for CVE-2026-40261 and CVE-2026-40176, command injection issues in the Perforce driver. Run composer self-update now. No exploits detected on
Packagist.org
and Private Packagist. Details:
blog.packagist.com/composer-2-9...
#php
#phpc
#composerphp
loading . . .
Packagist.org
The PHP Package Repository
https://Packagist.org
0
3
9
We need your help to test Composer 2.10. Expect a final release next week, now is the time to try it out and flag any issue you find!
github.com/composer/com...
#composerphp
#phpc
loading . . .
Release 2.10.0-RC1 · composer/composer
Composer 2.10 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.10.0-RC1 Running comp...
https://github.com/composer/composer/releases/tag/2.10.0-RC1
3 months ago
0
4
7
reposted by
Jordi Boggiano
Packagist
4 months ago
Private Packagist is a member of the
@opensourcepledge.com
& gave over $4k/FTE in 2025 to
#opensource
maintainers. Have your company join too!
blog.packagist.com/private-pack...
- Reach out if you want to be a launch partner for our Composer&Packagist.org sponsorship program!
#composerphp
#php
#phpc
loading . . .
Private Packagist 2025 contributions for the Open Source Pledge
This is now our third year as a member of the Open Source Pledge. Private Packagist subscriptions help fund not only the development of Composer and Packagist.org, but also the open source dependencie...
https://blog.packagist.com/private-packagist-2025-contributions-for-the-open-source-pledge/
1
7
4
reposted by
Jordi Boggiano
Packagist
5 months ago
🚀 Private Packagist February update: Redesigned login flow, team member MFA resets for org owners, new Microsoft Teams Workflow notifications (old connectors deprecated), clickable composer search URLs in your terminal
blog.packagist.com/whats-new-in...
#composerphp
#php
#phpc
loading . . .
What's New in Private Packagist, February 2026 Update
Private Packagist has continued to evolve over the past three months with significant improvements to authentication flows, security hardening, and notification capabilities. Here are the highlights f...
https://blog.packagist.com/whats-new-in-private-packagist-february-2026-update/
0
5
3
reposted by
Jordi Boggiano
Packagist
7 months ago
Proud to announce we just renewed our annual $18,000 sponsorship for the The PHP Foundation! Check out this summary on the work completed in 2025. So much more could be accomplished, if all businesses using PHP contributed. Sign up as a sponsor and help moving PHP forward!
add a skeleton here at some point
1
27
8
reposted by
Jordi Boggiano
Nils Adermann
7 months ago
Back from our annual
#SymfonyCon
trip! Great experience celebrating 20 years of
#Symfony
with its community in Amsterdam. The
@packagist.com
booth was busy throughout the event, and my package manager security outlook talk sparked good conversations. See you in Warsaw 2026!
#php
#composerphp
1
9
3
reposted by
Jordi Boggiano
Packagist
8 months ago
New in Private Packagist: Usage Tracking can now help prioritize security updates by showing how deps cascade through projects and where vulnerable versions are used. Trusted Publishing for GitHub Actions and better synchronization setup.
blog.packagist.com/whats-new-in...
#php
#phpc
#composerphp
loading . . .
What’s New in Private Packagist, November Update
We've shipped several important updates to Private Packagist over the past three months, including more insights on the package usage tracking page, the introduction of Trusted Publishing for secure a...
https://blog.packagist.com/whats-new-in-private-packagist-november-update/
0
2
3
reposted by
Jordi Boggiano
Packagist
8 months ago
After Composer 2.9 CLI security improvements, we're working on a transparency log for Packagist to strengthen PHP supply chain security, funded by the
@sovereign.tech
with help of the
@thephpf.bsky.social
and Private Packagist. Details at
blog.packagist.com/strengthenin...
#php
#phpc
#composerphp
loading . . .
Strengthening PHP Supply Chain Security with a Transparency Log for Packagist.org
The release of Composer 2.9 this week introduced new security features on the Composer CLI client, which were funded by Private Packagist through service subscriptions. But in parallel, we are working...
https://blog.packagist.com/strengthening-php-supply-chain-security-with-a-transparency-log-for-packagist-org/
0
17
7
Composer 2.9 is here! 🚀 It automatically blocks packages with known vulnerabilities, has a new repository command to manage repos from the CLI, and lots more!
blog.packagist.com/composer-2-9/
#composerphp
#phpc
#PHP
loading . . .
Composer 2.9 Release
We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more. Automatic Security Blocking Composer now automaticall...
https://blog.packagist.com/composer-2-9/
8 months ago
0
14
8
Composer 2.9 is coming, and there's an RC to try out! We need your help and feedback
github.com/composer/com...
#composerphp
#phpc
loading . . .
Release 2.9.0-RC1 · composer/composer
Composer 2.9 is ready for a release, and we need your help to test it and report any regression. Please try it out! Running composer self-update --preview will get you the 2.9.0-RC1 Running compos...
https://github.com/composer/composer/releases/tag/2.9.0-RC1
8 months ago
0
6
4
reposted by
Jordi Boggiano
Packagist
10 months ago
🚨 Warning to
#PHP
package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us.
#phpc
0
25
40
reposted by
Jordi Boggiano
Packagist
10 months ago
Together with PyPI, Maven Central, cratesio and other major package registries we signed a statement on sustainable open source infrastructure. 3B+ installs/month and evolving
#composerphp
and
packagist.org
requires sharing the costs.
#phpc
#php
add a skeleton here at some point
1
16
9
reposted by
Jordi Boggiano
Packagist
10 months ago
The era of Composer v1 finally comes to an end, long live Composer v2! 👑 Today
packagist.org
support for v1 metadata has been shut down as announced last year.
blog.packagist.com/packagist-or...
#composerphp
#phpc
#php
loading . . .
Packagist
The PHP Package Repository
https://packagist.org
1
11
6
reposted by
Jordi Boggiano
Packagist
10 months ago
August update: dependency usage tracking across your packages, automatic GitLab token rotation, and Conductor improvements with custom labels and smarter PR handling
blog.packagist.com/whats-new-in...
#php
#composer
#composerphp
#phpc
loading . . .
What’s New in Private Packagist, August Update
We've been busy improving Private Packagist over the past few months with a focus on package discovery, user experience improvements, and improved security monitoring tools. Here are the most signific...
https://blog.packagist.com/whats-new-in-private-packagist-august-update/
0
2
3
reposted by
Jordi Boggiano
Packagist
about 1 year ago
🚨
Packagist.org
shutdown of Composer 1.x support postponed to September 1st, 2025. Act now, upgrade to Composer 2! Last resort: check out Private Packagist extended 1.x support if you really cannot migrate right now.
blog.packagist.com/packagist-or...
loading . . .
Packagist.org shutdown of Composer 1.x support postponed to September 1st, 2025
With the deadline drawing near, we’d like to remind you that we are discontinuing Composer 1.x support on Packagist.org soon. We're extending our original timeline by one month to give teams additiona...
https://blog.packagist.com/packagist-org-shutdown-of-composer-1-x-support-postponed-to-september-1st-2025/
0
4
9
I will be at WordCamp Europe today talking about Composer and dependency management. Find me if you want to chat about
@packagist.com
!
about 1 year ago
0
1
0
reposted by
Jordi Boggiano
Kévin Dunglas
over 1 year ago
Let's add modern compression formats to PHP! The new RFC for natively integrating Zstandard and Brotli proposed by
@seld.be
and myself would significantly improve Composer and asset pre-compression by
@symfony.com
AssetMapper.
loading . . .
[RFC] Modern Compression (zstd, brotli) - Externals
#externals - Opening PHP's #internals to the outside
https://externals.io/message/126439
0
17
8
reposted by
Jordi Boggiano
Nils Adermann
over 1 year ago
Stop by our
@packagist.com
booth at
#LaraconEU
and have a chat about Composer, Packagist, Conductor or anything else relating to dependency management and supply chain security!
#Laravel
#Laracon
1
16
6
Got our
#SymfonyCon
tickets for next year already
over 1 year ago
0
16
1
reposted by
Jordi Boggiano
Packagist
over 1 year ago
Meet our team at
#SymfomyCon
Vienna! We'd love to chat about how you manage your Composer dependencies, your questions around supply chain security, Private Packagist or our upcoming product Conductor!
#symfony
#php
#composerphp
1
15
2
reposted by
Jordi Boggiano
Packagist
over 1 year ago
We're excited to introduce you to 🧑✈️Conductor! Automatic dependency update PRs with Composer for PHP projects - Security fixes patched in minutes - Continuous updates without the hassle - all running in your own CI env! Early access waitlist:
packagist.com/features/con...
#composerphp
#php
#phpc
loading . . .
Conductor - Automatic dependency updates for Composer
Automatic dependency updates for Composer - tailor made for PHP. Grouped and scheduled in ways that just make sense for PHP projects.
https://packagist.com/features/conductor
2
42
21
reposted by
Jordi Boggiano
Derick Rethans
over 1 year ago
➡️ The PHP manual has learned a new trick, you can now run the code right in the browser! 🥳 Thanks to @soyuka for the implementation!
#php
#documentation
loading . . .
9
158
74
you reached the end!!
feeds!
log in