We are extremely excited to announce our newest product addition to PHP dependency management: Private Packagist. A service designed to help businesses of any size use Composer more effectively and with greater confidence.

Composer Is An Open-Source Success

Jordi and I created Composer over 5 years ago and it has taken the PHP community by storm. Over 600 people have contributed directly to improvements of the dependency management tool for PHP and billions of packages have been installed with it.

Together with Composer we launched Packagist.org in 2011 to host all open-source PHP packages. Packagist.org has seen tremendous growth every day since: We currently serve over 120,000 packages for a combined total of 690,000 published package versions.

But The Composer Story For Business Has Been Rocky So Far

The few options available to businesses with private source code who would like to use Composer, all have major limitations and are not very convenient to setup or operate.

Inline VCS/Git repositories in your composer.json files significantly slow down every composer update and are hard to maintain across projects

in your composer.json files significantly slow down every composer update and are hard to maintain across projects Satis provides the bare minimum functionality to access private source code from Composer, but requires manual setup and significant work to operate reliably .

provides the functionality to access private source code from Composer, but requires and . Toran Proxy has a simpler setup process and supports caching open-source package archives but doesn’t provide permission management and can’t integrate easily with other products. Toran Proxy still needs to be maintained by customers’ own staff.

Private Packagist Addresses Businesses’ Composer Needs

Private Packagist aims to remove all these hurdles for businesses to finally make working with Composer as convenient as it should be. Being a hosted service, setting up your own Composer package repository on Private Packagist is done with a few clicks. No matter if your private source code is hosted on GitHub, GitLab, Bitbucket, any of their on-premise solutions, or in any other Git, Mercurial, or Subversion repository, Private Packagist can immediately access your code after setting up your credentials to make it available for installation through Composer.

Private Packagist also helps businesses better manage and understand their open-source dependencies. Private Packagist already caches all open-source libraries used in your business’s projects and makes them and their metadata (e.g. their license) visible in your private package repository. We will be adding more features to help you better understand risks and analyze the open-source dependencies your business relies on. Further you can restrict the addition of open-source dependencies so you can thoroughly review projects before they are available for use by your developers.

Private Packagist limits your Composer repository to only those packages actually used within your business which improves the performance of composer operations, increasing your developers productivity. Your packages are available redundantly on Private Packagist and their version control system, so that composer install still works for your developers, continuous integration and deployments even if any individual service is unavailable.

Per-user authentication tokens as well as tokens for continuous integration and deployment systems ensure that you can grant and revoke access without a major headache. Fine grained permission management through teams ensures that you can provide teams in your company access to only those packages they would have access to in your version control system. If you’re using GitHub we can fully synchronize team memberships and package access without any manual interaction.