Olivia
Online
Nils Adermann
@naderman
Berlin, Germany
Joined January 2008
1.2K Following
5.2K Followers
7.7K Posts
Ever found yourself accidentally merging changes to the public API of a PHP package and regretting it later? I made a GitHub Action to help prevent that. https://t.co/RRyKmcWDnv
The Composer CLI is part of your supply chain. Older versions miss the protections in 2.10 and carry known CVEs of their own.
Private Packagist customers can now enforce which Composer client versions can talk to their repository.
#php #phpc #composerphp
@oliverheck @enunomaduro @AikidoSecurity @packagist Sorry I don't understand your question? The attack vector this protects from is a malicious actor having access to the GitHub repository, so they can typically modify anything there.
@oliverheck @enunomaduro @AikidoSecurity @packagist This is pointless right now as an attacker can control the release datetime in the package metadata. That's why we haven't shipped it in Composer yet. It'll become a config dependency policy in Composer as soon as we've addressed this on https://t.co/l9IV7RsqmV.
Who to follow
Jordi Boggiano 
@seldaek
Co-Founder of @packagist / #ComposerPHP –
Head of Engineering at @TeamupCalendar
@seld.be on bsky
Packagist
@packagist
PHP Package Repo for #ComposerPHP https://t.co/4Hmg2DUaba - https://t.co/1HbpYeFtTB open source - https://t.co/3n71fBpwcG private packages. @[email protected]
Fabien Potencier
@fabpot
@upsundotcom CTO
@Symfony founder and project lead
@enunomaduro @AikidoSecurity @packagist Not possible in the current architecture. So something we'll consider after rebuilding the entire publication process for staged releases. But got to keep the risks and trade offs in mind. What if aikido.has an outage for example.
php devs, we no longer need to duct-tape python scripts just to parse a pdf 😭
launching Parsel: a fast memory efficient local document parser for PHP.
pdfs, office docs & images → text, structured data, bboxes, screenshots.
built for AI/RAG, NLP, invoices, search, and messy docs.
composer require shipfastlabs/parsel
confirmed… next week i'll be chatting irl on stream with @naderman, co-creator of composer, about everything the composer team is doing in light of the recent supply chain attacks
⛔ Composer policies block flagged malware, but only on 2.10. A CI image running an old Composer version, or a project disabling the policy, still installs flagged versions.
Private Packagist now blocks these at the registry, on any client.
#php #phpc #composerphp
🛡️ Composer's download fallbacks can silently undermine repository security: A Private Packagist URL blocked for a malware-flagged version falls back to GitHub or a source clone.
Two new Private Packagist options close it off.
#php #phpc #composerphp
I realized I was never going to get to adding zizmor to all my repos so I made a claude skill to let it do the grunt work.
You can use it too, if it helps more busy/lazy people to secure their GitHub repos I am glad!
See https://t.co/GyB0OTZyFP
Composer 2.10 is out.
Native malware filtering via @AikidoSecurity, enabled by default on @Packagist. Plus a unified config.policy framework, deprecated source fallback, and wildcards in --with.
#php #phpc #composerphp
Today we published our Impact and Transparency Report for 2025. We are incredibly grateful for our sponsors, partners, contractors, and individual financial contributors for without them, none of our work would be possible. 💙 🐘https://t.co/2vzvicGbom
#php #opensource
🔒An update on Composer & Packagist supply chain security: what's in place, what ships this week with Composer 2.10 (dependency policies, immutable versions), and what comes next.
If you maintain PHP packages, enable MFA now!
#php #phpc #composerphp
introducing laravel moat
as an open source maintainer, recent supply chain attacks in the ecosystem made me want a simple cli to audit the security of my GitHub organizations and repositories
built in Rust. for any open source project on GitHub
@enunomaduro @packagist @npmjs Automatic CI actions build releases and push them, or in PHP you do a git tag. This appears as a staged (hidden) release on the registry. The maintainer then needs to publish it with 2FA.
As an OSS maintainer, my new rule is that anything a frontier model can find with some reasonable effort is a 0-day. Hence why I'm now shipping security releases on public holidays.
@mitsuhiko They kept pushing new commits and tags even while we were already aware. Had to entirely remove the package on the registry to put an end to us redistributing the malware that is still present on GitHub now.
@mitsuhiko My impression is attacks on IDE plugins are enabling this. When attackers can just push commits & tags to legit repos, what safeguarded PHP Composer/Packagist and Go just falls apart. Wish I had had a way yesterday to get GitHub to block pushes to the repos
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers