blog.packagist.com
Supply-chain security is becoming a central concern for the PHP ecosystem. This article highlights that
maintaining trust in open source increasingly depends not only on code quality, but also on operational
discipline. The Composer and Packagist team discusses current and upcoming feature releases they have been
working on over the past few months.
Picked by Stefan Priebsch and Sebastian Bergmann –
"This update shows the extraordinary security work of Composer and Packagist that keeps the ecosystem
dependable without most developers ever noticing it."
queue.acm.org
Open source supply chains can no longer be treated as passive lists of dependencies. This article
argues that maintaining trust in modern software requires a shift from dependency management to active
stewardship. We need to
invest in the people, processes, and ecosystems behind the packages we rely on.
Picked by Sebastian Bergmann –
"The important parts of open source are often below the surface: maintenance, governance, and the social
infrastructure that makes software reliable."
socket.dev
A compromised Packagist package shows how open source trust can be abused in very targeted ways.
Here, attackers hid malicious code in a development branch of an otherwise legitimate PHP package,
likely aiming at developers through a fake job interview or coding task.
Picked by Stefan Priebsch –
"Supply-chain security is not only about popular packages and stable releases. Even obscure branches
and temporary test versions can become attack vectors."
