Loading... Background job is running.

Changelog for Private Packagist Cloud

You can find the changelog for Private Packagist Self-hosted, our on-premise product, on https://packagist.com/docs/self-hosted/changelog.

December 2024

Security Hardening

  • MFA codes are now immediately invalidated after use. This prevents using MFA codes multiple times in a time window. (Thanks for the report Abhishrey Gupta (crimson-inferno))

Changes

  • To ensure clarity and better distinguish them from VCS repositories, we have renamed Private Packagist subrepositories to suborganizations.

November 2024

Features

  • Synchronizations with GitHub can now reuse the GitHub App in multiple Private Packagist organizations and subrepositories. In those cases, it is no longer necessary to use a GitHub personal access token.

Changes

  • The members count in the organization overview now includes members of the billing team.
  • Email notifications for new package releases, abandoned packages, and security vulnerabilities are now sent from no-reply@packagist.com.
  • The list of security issues of monitored packages now contains links to the dependencies affected by security advisories.

Bugfixes

  • Fixed that OAuth login with GitHub would result in a 500 error when the GitHub API returned a long avatar url for the user.
  • Packagist.org mirrored packages no longer show the unrelated "Copied from organization package" link.
  • The link to create a GitLab personal access token has been updated to match newer GitLab installations and will no longer lead to a 404 page on GitLab.
  • In organizations without a synchronization, adding a user who is only a member of the billing team now also adds them to the All Organization Members team.
  • Setting up an integration using the names GitHub, GitLab, and Bitbucket no longer displays invalid callback URLs for the platforms GitLab and Bitbucket Data Center/Server.

October 2024

Security Fixes

  • Accepting an email invitation to a non-synchronized organization can no longer be used to join a different team within the organization if you know its id than intended. (Thanks for the report Mohab Mohamed)

Bugfixes

  • The search on the vendor customer page now matches both the customer organization name and the customer organization short name.
  • Packages using GitHub releases no longer display changelog entries for versions with dev stability out of order.
  • Finding the changelog information for a package will now automatically be retried when receiving status codes like 429 or 5XX.

September 2024

Security Hardening

  • The number of organizations that can be created per user is now rate limited.

Features

  • Synchronizations with GitHub now use the new GitHub organization roles to determine which teams and users can access all repositories in the GitHub organization. This feature requires additional GitHub permissions: Please accept the permission request for the GitHub app or grant the read:org scope to your personal access token.

Changes

  • Package subrepository API endpoints now accept package IDs or package names, making it possible to remove duplicated packages.

Bugfixes

  • Creating a team manually through the UI now adds an entry to the organization log.
  • Fixed a race condition where Private Packagist would return outdated package metadata to Composer if a Composer request triggered the metadata to be regenerated while they are being invalidated.
  • Fixed a styling issue on the Security Monitoring page where the list of reasons was not displayed correctly when closing the security issue.
  • Update review comments on Bitbucket weren't recreated after the pull request temporarily had no composer.lock changes and the original comment was removed. This has been resolved.
  • Fixed a bug where connecting your personal account to a third-party service account already in use by another user would result in a 500 error if that user had previously unsubscribed from security notifications for individual packages.
  • The option "Enforce MFA for Login via OAuth" is no longer required to be checked, when setting up Multi-factor Authentication.

August 2024

Security Hardening

  • Users cannot change their password to their current password anymore, when changing it through their profile page.
  • Connecting your Private Packagist account to third-party service accounts now requires your primary email address to be verified. Theoretically an attacker could have otherwise created an account with an email address of a pending organization invitation (not possible with synchronization) and linked it to an OAuth connection which would have persisted attacker access beyond password recovery of a legitimate user on the original email address. (Thanks for the report Mohab mohamed)

Changes

  • Package API endpoints now accept package IDs or package names, making it possible to remove duplicated packages.
  • The "Add Members" button on the All Organization Members team now explains why there is no invite button for organizations without synchronization.
  • Creating a new organization now shows instructions on how to set up your organization.

Bugfixes

  • The organization dashboard shows the correct number of teams. Collaborator teams without members are now excluded from the count.
  • Added missing close button to the add synchronization modal.

July 2024

Security Hardening

  • The email address confirmation link no longer automatically logs users into their account. (Thanks for the report Harshita Singh)
  • Security related changes to your user account, including password, username, email, Composer authentication token, and MFA changes, will now trigger an email to the primary email address.

Features

  • Added GitLab, GitHub, Bitbucket and Bitbucket Data Center / Server remote ids to API endpoints listing team members.

Changes

  • While setting up multi-factor authentication you can now configure if it should be enabled for login via OAuth too instead of having to do this in a separate step later.
  • Packages won't be mirrored automatically anymore when an organization's Composer repository URL is used as a mirrored repository URL in another organization.

Bugfixes

  • Reactivated removed synchronized members are no longer missing access to subrepositories.
  • Connecting via OAuth with an email address already used by another Private Packagist account now provides an error message explaining the situation.
  • The layout of the package page is no longer displayed too wide when very long commands were shown in the readme of the package.

June 2024

Security Fixes

  • It's no longer possible to use mirrored repository and notification channel URLs that redirect to insecure http URLs (no TLS). (Thanks for the report Dominik Prodinger and Maciej Piechota (haqpl))
  • Fixed an open redirect issue in the URL for joining a team, required an attacker to send you a modified URL through another channel. (Thanks for the report Julian Hector)
  • Fixed a reflective XSS issue when adding and editing integrations on the organization settings page via the base URL input field. (Thanks for the report Maciej Piechota (haqpl))
  • Fixed a reflective XSS issue when creating a custom package using form tab via the version input field. (Thanks for the report Maciej Piechota (haqpl))

Security Hardening

  • OAuth login with GitHub, GitLab, and Bitbucket now uses the OAuth 2 state parameter to prevent potential CSRF attacks. (Thanks for the report Mohan Sri Rama Krishna aka s1r1us)
  • Fixed a reflective XSS issue uploading package archives with a malicious composer.json file. (Thanks for the report Maciej Piechota (haqpl))
  • The number of emails that can be added to notification channels in an organization is now rate limited. (Thanks for the report Zeeshan Beg x Dracula)

Changes

  • The organization log now contains additional entries when deleting a synchronization for all the teams and users that were removed from the organization.
  • Users that are deactivated, blocked, or banned and a direct member of a project in GitLab are now removed as organization members in Private Packagist when synchronized, as opposed to be remaining members without the ability to log in.

Bugfixes

  • OAuth login attempts that trigger a 5XX response by the OAuth server now display the URL and status code instead of silently failing.
  • The error message on the package page does not show % placeholders anymore when a webhook URL was refused by the code hosting platform.
  • Using a very long password when registering, changing or resetting the password no longer causes the browser to become unresponsive. (Thanks for the report Ishu Manoj Jangra)
  • Update Review now leaves the same comments on Bitbucket Data Center / Server as on other code hosting platforms when PR changes are processed.

May 2024

Security Fixes

  • Fixed an issue that would have allowed an attacker to import packages from an organization into their own organization, if the package was created with the "git" type and if the attacker knew both the package's full source URL as well as the local file structure on packagist.com servers and the internal identifier used for the organization. To the best of our knowledge after reviewing logs and audit records as far back as we have them, this issue has not been exploited before discovery. (Thanks for the report Maciej Piechota (haqpl))

Features

  • The members, team members, and subrepository collaborators pages now list pending invitations for members to join and allow you to cancel an invitation. Each invitation can now also only be used once.

Changes

  • The organization log now contains entries when an invitation to join the organization or a subrepository is canceled or accepted.
  • Custom package definitions no longer support t3x archive files in dist URLs or via file upload.

Bugfixes

  • Adding a custom, artifact, or VCS package in an organization where all teams the user has access to have "All package access" no longer displays an error message saying that at least one team needs to be selected.

April 2024

Security Fixes

  • The organization log page is no longer accessible to all users in an organization. It can now only be accessed by members with admin access. (Thanks for the report Satyam Singh)
  • Billing users cannot add packages from mirrored third-party repositories anymore. Even before this fix they were only allowed to add packages by name from existing repositories. They were not able to modify repositories.

Security Hardening

  • In addition to ending all active authenticated sessions for a user when they change their password, username or email, we now also end all sessions where the user has not yet completed authentication due to an unfilfilled MFA requirement. (Thanks for the report Gaurav Dalal (webcipher101))
  • The number of subrepository collaborator invitations that can be sent in an organization is now rate limited. (Thanks for the report Zeeshan Beg x Dracula)
  • The organization login page now shows organization specific login options in a separate list with type and host information. (Thanks for the report Aditya Singh)
  • Invitation emails to the billing team no longer render user input as links. (Thanks for the report Aditya Singh)

Features

  • The security filter on the package list now also allows you to filter for abandoned packages.

Changes

  • The organization log now contains entries when a team is granted "All packages access" or that access is revoked.

Bugfixes

  • Resolved an out of memory issue when editing a credential that is used by over 5000 packages.
  • Login with Bitbucket Data Center using OAuth 1 was always causing a 500 error on Bitbucket. This is now resolved.
  • It's no longer possible to rename the Billing team. (Thanks for the report Zeeshan Beg x Dracula)
  • Synchronization runs with Bitbucket workspaces, for which group privileges cannot be fetched via API, are no longer stuck running forever. The permissions are now fetched for each repository instead.
  • In subrepositories of organizations without synchronization, team memberships can no longer be managed by members of the Admins and Owners teams. Team memberships can only be managed on the organization level. (Thanks for the report Zeeshan Beg x Dracula)

March 2024

Security Fixes

  • Team memberships for the Owners team cannot be managed via API anymore to avoid admins promoting themselves to owners. (Thanks for the report Anees Khan)
  • Added CSRF protection when Granting and revoking "All package access" for teams, triggering a package update, downloading a package archive, promoting a synchronization to primary, and resending email address confirmations. (Thanks for the report Sahil Negi)

Security Hardening

  • Deleting an organization, subrepository, or user account now requires the user to enter their password to confirm. (Thanks for the report cyberyash)
  • Links in email verification emails now expire after two hours or once clicked. (Thanks for the report Khan Mamun)
  • Changing the primary user email now clears any pending password reset requests. (Thanks for the report Khan Mamun)
  • Users cannot use their own username, email or full name as a password anymore.
  • User supplied URLs, like mirrored repository, notification channel, integration, and package URLs, will be blocked if they access the private network to prevent potential SSRF attacks. (Thanks for the report Aditya Singh)
  • Cache-Control headers are now set to prevent storing potentially private data in the browser. (Thanks for the report Priyanshu Parmar)
  • Connecting and disconnecting third-party user accounts and making an email the new primary email now requires you to enter your password.
  • The number of invitations that can be sent in an organization per time is now limited. Invitation emails no longer render user input as links. (Thanks for the report cyberyash)

Features

  • The availability of packages in new subrepositories can now be set via API when creating or editing a package.

Changes

  • Names and descriptions can no longer contain '<' and '>' characters.
  • Filter lists like synchronizations, credentials, and mirrored repositories are now alphabetically ordered.
  • The Composer authentication section now also shows how to store authentication in a local auth.json file.
  • The navigation within organizations has been restructured.

Bugfixes

  • The organization members page was missing a "Free User" indicator for members that are only a member of the billing team.
  • Members of the Admins team in an organization can no longer remove members of the Owners team on the members page.
  • A mirrored repository only defining security advisories for a package, like Drupal does for drupal/core, no longer prevents automatic mirroring of that package.

February 2024

Security Fixes

  • Disconnecting a user from connected OAuth accounts is now CSRF protected. (Thanks for the report Anees Khan)

Security Hardening

  • Enabling and disabling multi-factor authentication will now automatically log you out of all other sessions.
  • Forms requiring the current user password are now protected against brute force attacks. (Thanks for the report cyberyash)
  • Forms requiring the current user's MFA code are now protected against brute force attacks.
  • Clear-Site-Data header is now set on logout to delete all potentially private data stored in the browser. (Thanks for the report cyberyash)

Features

  • Integrations with Bitbucket Data Center / Server v7.21 or newer now support Application Links using OAuth 2.

Bugfixes

  • Subrepository collaborators no longer get links in the top-level navigation dropdown that lead to a 404 not found error.
  • The subrepository overview page shows the install statistics again. It always showed 0 values even if the subrepository had installs.
  • Synchronizations with Bitbucket Data Center / Server now show the full display name and correct link to the Bitbucket Data Center / Server project.
  • The organization and subrepository search in the navigation is now case-insensitive.

January 2024

Security Fixes

  • Reset password request links now expire after two hours or as soon as the password is changed rather than being valid forever. (Thanks for the report to Arslan)

Features

  • Security monitoring now reports security advisories provided by all configured mirrored third-party repositories.

Changes

  • The package list now shows when a package was last updated and shows "pending" if the package hasn't been updated yet.
  • The organization log can now be searched for packages by using the full package name in the search field.
  • Package versions for custom packages now automatically set release date when the version gets added. The date can also be manually set via the custom package edit form.
  • Package versions for uploaded artifact files now have a release date set to the time the artifact was uploaded.
  • The Composer instructions page for Private Packagist for Vendors customers now uses the organization's short name instead of private-packagist in the Composer command to configure the repository e.g. composer config repositories.your-organization composer https....

Bugfixes

  • Creating a user account via OAuth for an account that is part of a synchronized organization with subrepositories no longer causes an error.
  • Package versions without a release date defined no longer show the current date and time as release date.
  • Adding a package no longer results in a CSRF token error when the organization has more than 1000 teams.
  • Uploading files while creating or editing a custom package no longer errors when saving.

December 2023

Changes

  • The organization list in the top-level navigation dropdown now contains a searchable list of subrepositories.
  • Organization log entries for org.join and org.leave now indicate which user added the user to the organization or removed the user from the organization.
  • The organization log now contains entries indicating that the user that created the organization joined the organization and is part of the Owners and All Members teams.

November 2023

Features

  • Security issues now display the issue severity in the UI and email notifications if available.
  • Added API endpoints to view, open, and close security issues.
  • The list of vendor customers now has a search field, filters, and pagination.
  • Organizations can now require that members log in with a particular OAuth method to access Private Packagist.
  • Update Review comments now show the license when a package is added or the license is changed.
  • You can now opt notification channels into receiving notifications when security issues are closed due to withdrawal of the respective advisories.

Changes

  • Disconnecting your account from a third-party service that grants you access to one or more organizations will now require additional confirmation.
  • Organization log entries for editing a package now contain information on renames, when the name was edited.
  • The API key can now only be viewed once after creation. Only the description can be edited.
  • Resetting a password for a user with MFA enabled now requires entering an MFA code when setting the new password.
  • The add package from synchronization dialog now shows if a repository has a composer.json file but no name is defined.
  • An advisory database removing security advisories now marks security issues as closed instead of removing them.

Bugfixes

  • Adding a package from synchronization previously only had a bulk add option and an Add subdirectory button leading to the multi-package repository creation screen, resulting in erroneously created multi-package repositories. Now, there is also an Add package button for each individual repository.
  • Viewing the list of members of a subrepository no longer results in a 500 error when any subrepository member had their access to the subrepository assigned through a single team.
  • Accessing the list of customers having access to a package no longer results in a 500 error.
  • Organization synchronization runs receiving a 200 text/html response instead of a JSON response from Bitbucket, GitHub, or GitLab APIs will now display an error message and be retried later instead of being stuck.
  • Connecting another OAuth account in a previously opened tab after you were required to enter an MFA code no longer results in a server error.

October 2023

Features

  • Notification channels can now receive security notifications for changes to the state of a security issue.
  • The teams page now has a search field and a filter by synchronization to easier find teams.

Changes

  • New user authentication tokens now use a new token format with a packagist_uut_ prefix.
  • Members of organizations that enforce MFA for the current login method can no longer access the profile page or other organizations they are a member of. Instead, members are asked to immediately set up MFA.
  • Synchronized VCS repositories without a composer.json file that are older than one year are now only checked once every 24 hours for new composer.json files instead of on every push to reduce the number of API requests.
  • Making changes to how members found through a synchronization are handled in the organization member settings will now add an entry to the organization log.
  • The custom package edit form now automatically collapses all versions if there are more than two versions.
  • Packages returned by the API now contain a webView link to the package page on Private Packagist.
  • New versions on the custom package edit form are now added to the top instead of the bottom.

Bugfixes

  • Resolved a bug that only allowed read-only tokens to be created in subrepositories.
  • Switching between the form and JSON tab for custom packages is now significantly faster.
  • Manually overriding a package name via the edit package form no longer causes Composer commands to error with a message that the package doesn't exist or permissions might be misconfigured.
  • Downloading an invoice no longer leads to a server error.
  • The acccess tab on the subrepository settings page is no longer shown. Accessing it always resulted in a 404 not found error.
  • Clicking on a team name under Available Teams within a subrepository no longer shows only a message "Content missing" instead of showing the team members.

September 2023

Security Fixes

  • Multi-factor authentication was not required after login via OAuth when an organization or user had opted to require it. The issue was introduced August 10th. Multi-Factor authentication was correctly required as configured at all times for users logging in with email/password.

Features

  • Read-only and update authentication tokens can now be created and regenerated with an expiration date after which the tokens will stop working.
  • Organizations can now configure that read-only and update authentication tokens expire after a certain amount of days.
  • Security Monitoring now uses the audit ignore config from the project's composer.json to automatically close ignored issues.
  • Added API endpoints to view and edit which branches to monitor for security issues.
  • Organizations can now configure that user authentication tokens expire and automatically regenerate on a regular basis.

Changes

  • New read-only and update authentication tokens now use a new token format with a packagist_ort_ or packagist_out prefix respectively.
  • The changelog page of a package now links to the source of the changelog information.
  • Read-only and update authentication tokens are now write-only. They can only be viewed once after creation and regeneration. Only the description can be edited.

Bugfixes

  • Resolved a bug that prevented authentication tokens to be created and regenerated without an expiration date.

August 2023

Features

  • The list of organization teams is now paginated, addressing performance issues while loading the page for organizations with thousands of teams.
  • Organizations can now configure a list of IPs/CIDR ranges to limit access via the web interface, the API, and Composer endpoints.

Changes

  • Users that are deactivated, blocked, or banned in GitLab are removed as organization members in Private Packagist when synchronized, as opposed to remaining members without the ability to log in.
  • Users will now be logged out when their OAuth token expires and cannot be refreshed.
  • Adding a mirrored third-party repository that doesn't return valid JSON on the packages.json endpoint now shows an error message instead of just reloading the form.

Bugfixes

  • Security advisories defining an invalid affected version constraint no longer cause the package page or the security advisories page of a package to return a 500 response.
  • Deleting a package while a background job updates the package will now queue the delete task until the package update finished to avoid server errors.
  • Suspending the Private Packagist GitHub App is now detected by the synchronization and shows a link to unsuspend the App.
  • Organizations with synchronizations from two Bitbucket Server instances with identically named projects and groups are no longer missing teams in Private Packagist.
  • Using Bitbucket Server OAuth to log in no longer causes a server error.
  • Synchronizations using a credential with a port in the domain name but matching the integration domain no longer cause a credential domain mismatch error.

July 2023

Changes

  • Regenerating read-only, update, or customer authentication tokens now adds an entry to the organization log.

Bugfixes

  • Using bitbucket.org OAuth to register a new account no longer errors if the registration form wasn't submitted for longer than an hour. The OAuth access token expired and couldn't be refreshed without errors.
  • Renaming a package and immediately using that package in a Composer command does not result in server errors anymore.
  • Accessing package versions with more than five digits as major version no longer shows an error page.
  • Creating a new integration with a name that only consists of spaces no longer results in a 500 error page, but rather an explanation.

June 2023

Changes

  • Custom package definition submitted via the API no longer requires the top level "package" key, similar to submitting it via UI.

Bugfixes

  • Synchronized GitHub organizations where members have access to all repositories no longer require a full synchronization run for all synchronized members to have access to new repositories.
  • Editing the dist URL for a custom JSON package now removes the stored dist file and fetches the file from the new URL.
  • A search term not matching any VCS repositories on the add package from synchronization dialog no longer removes the search bar.
  • Mirroring new packages in a subrepository at the same time as removing the mirrored third-party repository from the subrepository no longer causes an error when accessing the packages list.
  • Inviting the same user multiple times to the same team no longer results in a 500 error.
  • The form for custom packages now shows clearer that you can either upload a file or define a URL in the dist section of each version.

May 2023

Features

  • Install statistics are now available when fetching subrepositories via the API.

Changes

  • Added missing organization log entries for adding, editing, and deleting notification channels, as well as adding and removing notification channels from subrepositories.

Bugfixes

  • Vendor customers could use another customer's URL by accident to access their own packages, but the other customer may have lost access to some packages as a side effect. This access has been restored and accessing your own packages through a wrong URL is no longer possible.
  • Creating packages for new VCS repositories in the remote organization created while an organization is being synchronized, is no longer delayed until after the synchronization run is finished.
  • Creating an integration with a base URL that is missing the host part no longer results in an error.
  • Usernames are now limited to a length of 50 characters.
  • Package links shown for a version were missing the constraint information if the constraint was self.version.
  • Deleting a team that has access to multiple subrepositories no longer results in a 500 error.

April 2023

Features

  • New "Access All Packages" permission can be granted to teams (via UI or API). Controls whether the team has access to all non-synchronized organization packages. Revoking this access will not remove access to packages the team has access to at the time.
  • GET API endpoints can now be accessed without generating the full signature using the Authorization: PACKAGIST-TOKEN header.

Bugfixes

  • Adding teams to a subrepository right after the subrepository was created, could lead to teams not having access to all packages in the subrepository.
  • Fetching an artifact file with a non-numeric ID from the API no longer returns a 500 response.
  • GitHub synchronization runs now state if they fail because of an expired GitHub personal access token.
  • Deleting a package assigned to over 50 subrepositories now deletes the package via background job to prevent memory issues.
  • Log entries are now created when teams are added or removed from a subrepository.
  • Log entries are now created when the permissions for a team are changed within a subrepository.
  • Adding a package to multiple subrepositories at once can no longer result in a 500 error.
  • Synchronizations with Bitbucket Server now detect maintenance mode and retry synchronization runs later.
  • Links to files on the changelog page for packages using GitHub releases now point to the correct URL on github.com and no longer to a 404 error page.
  • Fixed a bug where the license filter on the list of packages would show no licenses anymore after reloading the page with an empty search result.

March 2023

Features

  • The list of packages is now paginated, addressing performance issues while loading the page for organizations with thousands of packages.

Changes

  • Synchronization runs now list which users were added to the list of removed synchronized members.

Bugfixes

  • Adding a new multi-package repository to an organization will now link to the existing configuration if there is already a multi-package repository with the same URL in the organization.
  • Organizations that enforce MFA for login, no longer enforce MFA once they are deleted.
  • Prevent errors when users double submit the grant team access to packages button
  • Security Alert emails now only show up to 250 security issues to avoid memory issues while generating the emails.
  • Creating new teams via the API using a name that is already in use, no longer returns a 500 error response.
  • The API error response now indicates which property fails the validation if an invalid value is sent for an enum type.
  • Creating a new artifact package didn't expand the archive's composer.json file and errored on submit. This has been resolved.
  • Improved the render time of the profile page for users that are part of an organization with a lot of subrepositories.
  • A successful login via email and password for a user with MFA enabled redirected back to the login page if a first login was not successful. This now redirects to the MFA screen.

February 2023

Features

  • Added an API endpoint to fetch all synchronizations.
  • Private Packagist for Vendors users can now group packages in vendor bundles to assign the same packages to many customers
  • The packages page now shows private packages, mirrored packages, and packages from subrepositories in a single list with a number of filters.
  • Browsing all packages of a mirrored third-party repository will now show them filtered on the packages page.

Changes

  • The list to add organization packages to a subrepository now also shows the package URL and states if the package is abandoned or part of a multi-package repository.
  • Notification channels can no longer be created on the organization security settings page, use the notification channel settings page instead.

Bugfixes

  • Unauthenticated users trying to access an organization page that requires authentication are now redirected again to their organization's custom login page if a custom integration is configured.
  • Multi-packages showed a wrong webhook URL on the package page that would return a 404 response and not update the package.
  • The package page now keeps showing the hook URL if the webhook was manually configured.
  • Fixed the update review comment link for Bitbucket, GitHub, and GitLab releases for versions where the git tag doesn't match the version specified in the composer.json file.
  • The webhook status for packages mirrored from a mirrored third-party repository that isn't supporting automatic updates will now show "not supported" instead of "failed".

January 2023

Features

  • Added an API endpoint to fetch a single team.

Bugfixes

  • Mirrored third-party repositories returning an empty dist URL as part of the package metadata will no longer break Composer commands.
  • The confirm dialog shown when deleting a multi-package repository now only lists each package name once, even if some packages were added to subrepositories.
  • The packages list now correctly shows errors with the webhook setup, even if the webhook was successfully setup before.
  • Granting a vendor customer access to all packages no longer renders an error if the customer already had access to all packages.
  • Missing packages mirrored from packagist.org that were added but not updated don't produce a server errors while using Composer commands.
  • Editing the minimum stability of a vendor customer or constraints of a package assigned to a vendor customer now invalidates the local Composer cache when using Composer 2.
  • Composer 1 commands could produce a server error in case the organization had several thousands of packages causing Composer commands to fail.
  • The list of authentication tokens always showed 0 for installs in the last 30 days. This now shows the correct number again.
  • Log entries are now created for mirrored third-party repositories when creating/deleting, editing/changing permissions, and adding/removing from a subrepository.

December 2022

Changes

  • Subrepository members with edit permissions can now also add all organization packages to which they have edit access to a subrepository.
  • Synchronization runs list which repositories were added to or removed from a team.
  • Synchronization runs list which members were added to or removed from a team.
  • Private Packagist for Vendors users can now see a list of customers that have access to a private package.

Bugfixes

  • Creating a subrepository now adds packages via a background job, avoiding potential request timeouts.
  • Resolved an out of memory issue when adding a package with dependencies to a subrepository.
  • A log entry is added when a credential is created during synchronization setup.
  • Promoting a user to Owner on GitHub or Administrator on Bitbucket can no longer remove the user from synchronized organizations.
  • Deleting a vendor customer now shows the name of the customer in the confirm dialog.
  • Limitations are correctly shown when granting (or editing) a vendor customer access to a package.
  • Versions longer than 255 characters, e.g. branch names longer than 251 characters, are now truncated to 255 characters.

November 2022

Changes

  • Filenames for invoices downloaded from the billing history now follow the format Private-Packagist-INVOICEID-YYYY-MM-DD.pdf.
  • Organization and subrepository renames (name or URL slug) now create entries in the organization log.
  • Creating, editing, and deleting a multi-package repository now creates an entry in the organization log.
  • Synchronization errors are not displayed anymore while a synchronization is running which may resolve them.
  • After editing a package users are redirected back to the package page instead of the package list.

Bugfixes

  • Deleting a package, then adding a package with the same name from packagist.org can no longer lead to a stale local Composer cache when using Composer 2.
  • Adding a new mirrored third-party repository no longer produces a server error if the HTTP call to validate the mirrored repository errored with a cURL error, e.g. a request timeout.
  • Login via OAuth for users that are only part of a single organization directly redirects again to the organization instead of the organization list.
  • The error message for failing Bitbucket synchronization states the missing OAuth scopes for the credential again.
  • Downloading archive files from the package view page after switching versions works again.
  • Organization log entries for synchronization created and deleted now contain additional information about the synchronized remote organization.
  • New package entries in the organization log now use clearer values in the "Triggered By" column instead of the generic "Background Job".
  • Added missing organization log entries for teams that are created and deleted during a synchronization run.
  • Adding a package with its dependencies to a subrepository, didn't add all dependencies to the subrepostory in case over 1000 transitive dependencies where shown.
  • Synchronizations with Bitbucket Server were only synchronizing users with direct access to the project. This includes again users with access via a group.

October 2022

Changes

  • Existing organization members can now be added to other organization teams by username as well as email.
  • After registration, users are asked to enable multi-factor authentication. This is only shown once.

September 2022

Features

  • Added new API endpoints to manage teams and team memberships.

August 2022

Features

  • Added a new API endpoint to list which package versions a customer has been granted access to.

Changes

  • The API now returns the date a package version was released, if known.
  • Log entries for added and edited packages now show additional information such as clone URL, which mirrored third-party repository it was mirrored from, if it's part of a multi-package repository, etc

June 2022

Features

  • Multi-factor authentication has been added to user accounts. Organization owners and admins can enforce MFA for their members.

May 2022

Features

  • Added support for organization owners and admins to add additional synchronizations via integrations for self-hosted versions of GitHub Enterprise, GitLab Self-managed, and Bitbucket Data Center / Server. This was previously only available through support.
  • Update Review comments now indicate package versions that have security advisories, including a message if an update introduces package versions with known vulnerabilities.
  • Glob expressions for repositories containing multiple packages now support brace expansion (eg, {one,two}/composer.json).

January 2022

Features

  • API credentials can now have a description
  • Added API endpoints to manage authentication tokens
  • Security issue notifications webhooks can now be configured to dispatch a separate request for each issue. This allows you to integrate webhooks with Jira.

Changes

  • Synchronizations with GitHub and GitLab have an option to not synchronize archived VCS repositories. This option is enabled by default for new synchronizations.

December 2021

Features

  • Added support for VCS repositories using the svn+ssh protocol

Changes

  • Synchronized GitLab repositories with visibility "internal" are now treated the same way as "public" repositories and are available to all members of the organization
  • Synchronized VCS repositories can now be added as multi-package repositories via the "Add Package" dialog

November 2021

Features

  • Security advisories for a package are now visible on the package page
  • Package versions affected by a security advisory are now highlighted on the package page

Changes

  • You can edit the description or the username for a credential without re-entering the password or access token
  • Synchronizations with GitLab now also recognize individual repository collaborators
  • Adding packages by URL now allows you to override the package name to import packages under an old name
  • Importing VCS repositories from bitbucket.org doesn't require adding the .git suffix anymore

October 2021

Features

  • Non-synchronized organization members can now be removed from the organization and all teams at once on the members page.
  • Subrepository collaborators can now be removed from all subrepositories at once.
  • Existing packages can now be edited to be turned into multi-packages (multiple packages in a single repository) without having to recreate them.

September 2021

Features

  • We now support GitLab group webhooks for groups with a GitLab Premium subscription, this will now find new repositories when they are created and not only once the daily full synchronization runs.
  • A new log section can be found on the organization settings page, displaying activity in the organization

Changes

  • Ordering changes on the third party mirrored repository page can now be undone.
  • The credentials page now shows a warning if any of your stored GitHub API tokens are about to expire or already expired.

July 2021

Features

  • Installation statistics are now available for organization authentication tokens and on your profile page for your personal authentication token.

Changes

  • The mirrored third-party repository list now shows in how many subrepositories a mirrored repository is available.
  • The user authentication page now shows when the user token was last used

June 2021

Features

  • Collaborators can now be added to subrepositories. They can only access selected subrepositories, but don't have access to the organization
  • The modal to add packages from a synchronization and the modal to add packages from an organization to a subrepository now allow you to add multiple packages at once
  • The package page now displays a link to the changelog and lists changelog information with the version information

Changes

  • Synchronizations with GitLab now detect when another group was invited as a member to the synchronized group

May 2021

Features

  • Added API endpoints to list all security issues for a package or an organization
  • Added a filter by security issue state to the packages list API endpoint
  • The synchronization page now lists active synchronization runs and their current progress
  • For packages using a Composer patches plugin like cweagans/composer-patches, the package page now lists patches information defined in the composer.json

April 2021

Features

  • Packages in public repositories are now available to all members of an organization instead of just those with explicitly assigned repository permissions

March 2021

Features

  • Private packages can now be marked as abandoned via the UI

February 2021

Features

  • Abandoned package notifications: Receive notifications when a package is marked as abandoned
  • Packages which have their composer.json file in a subdirectory, rather than the root directory, can now be installed with Composer like all other packages

Changes

  • Synchronizations with Bitbucket now support all Bitbucket workspaces including former user accounts
  • The package search now only searches the package name by default. The package description can still be searched as well by selecting the checkbox below the search field.
  • Subrepository URLs have been updated to not use the word "projects" anymore
  • Packages part of a multi-package repository will now show the README file of their subfolder if available and otherwise fall back to the root directory
  • Organizations synchronized with a GitLab Group will now prevent any of its GitLab subgroups from being synchronized. The parent group already imports all data from all subgroups.
  • The repository name of a collaborator team is now a link to the VCS repository
  • Renamed Bitbucket Teams to workspaces to match the naming on bitbucket.org

November 2020

Changes

  • The team members page for synchronized teams now clearly states that memberships are managed through GitHub, GitLab, or Bitbucket and shows where to manage the team
  • Artifact packages now ignore the "__MACOSX" folder in ZIP archives generated by the macOS ZIP utility when searching for a composer.json file
  • Webhooks are now unregistered on connected code hosting platforms when a package or an organization is deleted
  • Packages copied to a subrepository now have a disabled edit button explaining that they can only be edited on the organization level

October 2020

Features

  • Package release notifications: Receive notifications for every new version a package publishes
  • Added an API endpoint to upload a new file to an existing artifact package
  • Private Packagist for Vendors can now serve customer packages from your own domain

Changes

  • If your organization is synchronized with GitHub, we will now receive a webhook when you make changes to repository collaborators so they are immediately synchronized to Private Packagist.

September 2020

Features

  • Subrepository quick access: most recently visited subrepositories are shown on organization overview
  • You can now upload zip, tar.gz or tar.bz2 archives without composer.json files when creating a custom package

Changes

  • Dist URLs in lock files have been updated to contain an additional r character to avoid empty filenames if no reference is provided. This means your lock file URLs will change on the next Composer update

August 2020

Features

  • You can now download the archive file for each package version from the package view page
  • Full compatibility with Composer 2.0
  • API endpoints to create and upload artifact packages based on zip, tar.gz or tar.bz2 archive files

July 2020

Features

  • You can now upload zip, tar.gz or tar.bz2 archives containing code and a composer.json file by adding an artifact package to your organization
  • Vendors can now restrict customers to specific package version stabilities like alpha, beta, or RC
  • Security Monitoring alerts you via email, Slack, Microsoft Teams or webhook when a security vulnerability is found in one of your dependencies in composer.lock files
  • Added API endpoints to manage team package access
  • Added API endpoints to create artifact packages
  • Added support for the new Composer 2 list endpoint

June 2020

Features

  • You can now rearrange the mirrored repositories to change the order for finding new packages during automatic mirroring

Changes

  • The synchronization now automatically detects if a vcs repository gets transferred from one synchronization to another synchronization on the same host e.g. from one github.com organization to another github.com organization

May 2020

Changes

  • For package archives a download limit of 128MB was introduced. Archive downloads that are larger than the limit will fail, and an error on the package page will be shown.

April 2020

Features

  • The generic package hook endpoint now supports AWS SNS subscription confirmation, enabling easier integration with AWS CodeCommit
  • Enabled the new Composer repository format for improved performance on Composer 2

March 2020

Features

  • Added API endpoints to fetch dependents of a package
  • The package API endpoint now returns its configuration values: type, url, customJson and mirroredRepository
  • The package API endpoint now returns installation statistics

February 2020

Features

  • You can now create a custom package using a form to configure your composer.json metadata instead of manually entering JSON

December 2019

Features

  • You can now create authentication tokens with full update access including the automatic creation of mirrored packages, which are counted as regular users
  • A new organization drop down in the top navigation makes it easier to switch between organizations and you can always see which repository you're currently working on

November 2019

Features

  • The packages page now also lists packages with a duplicate name showing a warning that they cannot be installed
  • All packages which are replaced in the composer.json of any package you add, are now automatically mirrored to prevent problems with their automatic mirroring during composer update.

October 2019

Features

  • Vendors can now disable their customers which will prevent them from installing assigned packages.
  • The packages page has been rebuilt to offer various filters to find packages and displays more package information to quickly detect problems

Changes

  • To avoid confusion with the Composer package type project, we renamed Private Packagist projects in the Agency Add-On to Subrepositories
  • Initializing a Bitbucket git repository with a url like https://bitbucket.org/acme/repository will now automatically transform the url into a valid git url e.g. https://bitbucket.org/acme/repository.git.

September 2019

Features

  • Added install graphs for overall organization installs over time
  • Packages marked as abandoned are now visible as such in the UI and show the suggested replacement

August 2019

Features

  • Added a new team permission which lets team members create projects

June 2019

Features

  • Added API endpoints to manage project packages
  • Added API endpoints to manage mirrored third party repositories

Changes

  • Added support for repositories which have a composer.json in any branch and/or tag but not the default branch
  • All public repositories added via a synchronization are now available to all members in the organization

Bugfixes

  • The Magento Composer repository at repo.magento.com occasionally changes dist files after initial publication. We no longer send these checksums to clients, as is already the case in most other places like packagist.org.

May 2019

Features

  • Added a billing history with the possibility to download previous invoices

Changes

  • The user profile now also shows the username and id of all connected OAuth accounts, e.g. GitHub, GitLab, Bitbucket
  • Synchronizations with Bitbucket now also recognize individual repository collaborators
  • New organization members added via sync can now automatically be deactivated

April 2019

Features

  • Added a new team permission which lets team members add packages and add, edit and remove credentials and mirrored third party repositories
  • When adding a new package one can now already select which teams have access to that package

March 2019

Changes

  • Improved the performance of package updates by caching versions without a composer.json
  • Renamed the Owners/Admins Team option for authentication tokens to 'All packages'.
  • The authentication tokens page now displays when the token was last used.
  • Teams with edit access right can now also assign package permissions

Bugfixes

  • Updating a package url will now also update the source and dist information for all package versions.

February 2019

Features

  • Added an option to override the default request timeout for mirrored Composer repositories

Changes

  • Performance improvements to granting customers access to packages via API, editing credentials, renaming organizations, projects and customers and deleting packages
  • The teams page now always lists the Owners and Admins team for everyone

January 2019

Features

  • Added a search field when adding packages from synchronized repositories and when adding packages from the parent organization to a project
  • Synchronizations now list runs during the previous 48 hours and what exactly changed on each run, e.g. new users or repositories
  • The team member pages now display more information about each user, in particular the username they use on the service the team is synchronized with

Changes

  • The API now accepts customer urlNames in addition to customer ids for all API calls requiring lookup of a customer
  • The API uses the word "edit" for modifying objects instead of "update" which is usually reserved for reloading package data or the composer instruction
  • The warning about being on a free trial now shows the exact date it ends
  • Synchronizations can now be triggered by all members of an organization
  • Synchronizations show which credential is used to make requests to the external service
  • No longer displaying a warning about a missing hook for custom JSON packages which cannot be updated without editing the JSON
  • Improved typography and spacing across all pages

Bugfixes

  • Billing access now works for Admins (non-Owners) who are also on the billing team
  • Members of new teams found during synchronization are now added immediately, rather than only on the second synchronization run

December 2018

Features

  • Synchronizations can now be configured on a per-project basis
  • You can now grant teams access to view and/or manage vendor add-on customers
  • Added settings page for vendor add-on customers and an option to deliver source URLs to customers via Composer

Changes

  • When importing packages from JSON you can now select credentials to be applied
  • You can now switch which of your synchronizations should be the primary one

November 2018

Features

  • Added API endpoints to manage project authentication tokens
  • Added support for the Composer search API
  • Private Packagist for Agencies: Support for projects with a separate Composer repository, including options for mirrors, credentials and tokens to be defined for just one or a set of projects
  • Packages mirrored from packagist.org are now updated automatically within a few seconds of changes on packagist.org rather than only twice a day
  • Bitbucket Team hooks are now set up automatically to detect new packages when you create new repositories
  • Added API endpoints to manage projects as part of Private Packagist for Agencies
  • Added API endpoint to fetch all customers with access to a package as part of Private Packagist for Vendors
  • Install statistics and count of accessible packages are now shown on the customers overview page

Changes

  • Added list of versions to GET package API endpoint
  • Managing access to packages for teams now sorts the dropdown of packages and lets you search through them
  • Unauthenticated users trying to login are now redirected to their organization's custom login page if a custom integration is configured
  • The list of customers is now sorted by name
  • Changed body font color to black for more contrast
  • Added composer instructions page on the customer detail page in the Private Packagist for Vendors addon
  • Warn users if packages are configured to use credentials which do not work for the package's URL
  • Improved the package update log output to better display authentication issues
  • Package updates which fail because of external API limits are now retried once the limit resets

October 2018

Features

  • Packages now show mirror information
  • Synchronizations for existing organizations can now be set up with previously defined credentials

Changes

  • Allow a user to disconnect from their last connected third party authentication provider
  • Improved the speed of mirroring packages from packagist.org
  • Authentication tokens assigned to synchronized teams won't be deleted anymore if the team gets removed by the synchronization they lose access to all packages but can be reassigned to a different team
  • Improved the performance of package updates by caching version data
  • Allow deactivating members who do not have a Private Packagist account yet on the organization members page

Start Free Trial

Login to create an organization and start your free trial!