An Update on Composer and Packagist Supply Chain Security
5 hours ago
- #package management
- #open source security
- #supply chain security
- Recent supply chain attacks have targeted PHP packages via compromised GitHub accounts and stolen tokens, with notable incidents affecting laravel-lang and intercom/intercom-php.
- Composer and Packagist are implementing multiple security measures, including malware detection via Aikido, rapid incident response, and a public transparency log for tracking security events.
- Composer 2.10 introduces a unified dependency policy framework covering malware-flagged versions, vulnerabilities, and abandoned packages, along with stable version immutability on Packagist.org.
- Future plans include mandatory MFA, FIDO2-backed staged releases, hosting immutable build artifacts with SLSA provenance, and aligning with OpenSSF and SLSA security standards.
- Organizational controls are being enhanced with tools like organizational package ownership, bulk management, and staged release flows to mitigate risks from account compromises.
- Administrative improvements on Packagist.org include manual malware feed overrides, delisting for older clients, and package freezing during active compromises.
- A sponsorship program is launching to fund ongoing security work, with tiers starting at €2,500/month.
- The ecosystem is catching up on security practices, with progress on transparency logs and immutable releases, but still lags in areas like mandatory MFA compared to other package registries.