An Update on Composer and Packagist Supply Chain Security(blog.packagist.com)
blog.packagist.com
An Update on Composer and Packagist Supply Chain Security
https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
https://blog.packagist.com/an-update-on-composer-packagist-supply-chain-security/
I’m now a firm believer that every package manager needs to support hooks globally.
Composer also supports conflicts which results in this amazing approach of having a meta-package conflict with insecure packages: https://github.com/Roave/SecurityAdvisories.
Can’t happen in Node, sadly because of language differences.