composer
Safeguard articles tagged "composer" — guides, analysis, and best practices for software supply chain and application security.
8 articles
PHP Laravel security best practices
One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.
Auditing PHP Dependencies with composer audit
Composer ships a native security auditor. Learn to run composer audit against your composer.lock, catch abandoned packages, and extend it with continuous SCA.
Composer/PHP Supply Chain Threats: 2025 Report
A senior engineer's 2025 report on Composer and Packagist supply chain threats: namespace abuse, abandoned maintainers, plugin hooks, and the attacks that actually landed on PHP shops.
Composer/PHP Package Supply Chain in 2026
PHP's Composer and Packagist ecosystem has quietly improved its supply chain story. Here is where things actually stand in 2026, and what PHP shops should do now.
Composer Arbitrary Code Execution via Platform Config Han...
CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.
Packagist's GitHub Webhook Flaw That Could Have Poisoned ...
A 2022 Packagist webhook vulnerability let a crafted GitHub branch name trigger command injection on Packagist's servers, threatening the entire PHP/Composer supply chain.
PHP Composer Security: Lockfiles, Packagist and Abandoned Packages
composer.lock is your integrity anchor, Packagist is a single point of trust, and roughly one in ten packages you depend on is quietly unmaintained. A field guide.
PHP Composer Dependency Security
Securing PHP applications through Composer lockfiles, Packagist verification, and automated vulnerability scanning.