Hi Oscar,

Thanks for pointing this out.

I think that composer is great, and I use it a lot in PHP projects.

I recently heard a talk at the Java Users' Group (NOVA JUG) on a similar 
problem with maven.  The focus of the talk was using frameworks and 
libraries with known vulnerabilities.  Some frameworks and libraries are 
not regularly updated, and some use old versions of libraries with known 
vulnerabilities.  This is a big problem, especially if you run your code 
with super user privileges (see #9 in the top 10 vulnerabilities in 
https://www.owasp.org/index.php/Top_10_2013-Top_10).  The solution proposed 
was to manage your own maven repo so that you have a golden repo at a point 
in time.  Sonatype (http://www.sonatype.com/) has such a solution for maven.

By the way, Maven Central has 260,000 artifacts and serves 70 millions 
downloads every week 
 Packagist.org has 142 million packages (24,492 packages with 87,349 
versions) and about 160 million downloads a month 


On Thursday, February 20, 2014 4:31:34 PM UTC-5, Oscar Merida wrote:
> Hey folks, 
> If you use composer to install dependencies, you should be aware that 
> you should be checking what its actually downloading when you run 
> composer install. See this post here: 
> http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/
> -Oscar 

You received this message because you are subscribed to the Google
Group: "Washington, DC PHP Developers Group" - http://www.dcphp.net
To post, send email to washington-dcphp-group@googlegroups.com
To unsubscribe, send email to 
For more options, visit this group at 
You received this message because you are subscribed to the Google Groups 
"Washington, DC PHP Developers Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to washington-dcphp-group+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to