๐ง๐ต๐ฒ ๐๐ฎ๐ป๐ด๐ฒ๐ฟ๐ผ๐๐ฆ ๐ง๐ฟ๐๐๐ต ๐๐ฏ๐ผ๐๐ ๐๐ผ๐บ๐ฝ๐ผ๐ฒ๐ฟ ๐จ๐ฝ๐ฑ๐ฎ๐๐ฒ You use Composer to manage your PHP projects. But do you know the risks of running Composer update? A recent incident with Laravel-Lang packages shows that supply chain attacks are a real threat. The attack used malicious packages to steal credentials from your machine. This is not just about SQL injection or XSS. This is about your development process being compromised.
To protect yourself:
- Run Composer update inside Docker
- Pin exact versions using tools like jack raise-to-installed
- Update lock hash and commit changes
- Verify what got updated before committing
- Run Composer audit before and after updating
Some key takeaways:
- Fewer packages mean fewer attack surfaces
- Follow Laravel security researchers on social media
- Composer 2.10 added Aikido malware scanning and stable version immutability
- Question every new dependency
Source: https://dev.to/tegos/composer-update-is-not-safe-anymore-2bcf