Loading... Background job is running.
Changelog for Private Packagist Cloud
- Quick Start Guide
- Private Networks and Firewalls
- Using Private Packagist in a Composer project
- Using Private Packagist in a CI/CD environment
- API Documentation
- Security Monitoring
- Update Review
- Synchronization FAQ
- Private Composer Packages
- Mirroring Composer Packages
- GitHub, Bitbucket, GitLab and Other Integrations
- Security Monitoring
- Update Review
- Dependency License Review
- Subrepository Setup
- Vendors: Customer Setup
Private Packagist Self-Hosted
You can find the changelog for Private Packagist Self-hosted, our on-premise product, on https://packagist.com/docs/enterprise/changelog.
- Install statistics are now available when fetching subrepositories via the API.
- Vendor customers could use another customer's URL by accident to access their own packages, but the other customer may have lost access to some packages as a side effect. This access has been restored and accessing your own packages through a wrong URL is no longer possible.
- Creating new VCS repositories in the remote organization while an organization is being synchronized, is no longer delayed until after the synchronization run is finished.
- Creating an integration with a base URL that is missing the host part no longer results in an error.
- Usernames are now limited to a length of 50 characters.
- Package links shown for a version where missing the constraint information if the constraint was self.version.
- Deleting a team that has access to multiple subrepositories no longer results in a 500 error.
- Added missing organization log entries for adding, editing, and deleting notification channels, as well as adding and removing notificaiton channels from subrepositories.
- New "Access All Packages" permission can be granted to teams (via both UI and API). Controls whether the team has access to all not-synchronized organization packages. Revoking this access will not remove access to access to the packages they already have access to.
- GET API endpoints can now be accessed without generating the full signature using the Authorization: PACKAGIST-TOKEN header.
- Adding teams to a subrepository right after the subrepository was created, could lead to teams not having access to all packages in the subrepository.
- Fetching an artifact file with a none numeric ID from the API no longer returns a 500 response.
- GitHub synchronization runs now state if they fail because of an expired GitHub personal access token.
- Deleting a package assigned to over 50 subrepositories now deletes the package via background job to prevent memory issues.
- Log entries are now created when teams are added or removed from a subrepository.
- Log entries are now created when the permissions for a team are changed within a subrepository.
- Adding a package to multiple subrepositories at once can no longer result in a 500 error.
- Synchronizations with Bitbucket Server now detect maintenance mode and retry synchronization runs later.
- Links to files on the changelog page for packages using GitHub releases now point to the correct URL on github.com and no longer to a 404 error page.
- Fixed a bug where the license filter on the list of packages would show no licenses anymore after reloading the page with an empty search result.
- The list of packages is now paginated, addressing performance issues while loading the page for organizations with thousands of packages.
- Synchronization runs now list which users were added to the list of removed synchronized members.
- Adding a new multi-package repository to an organization will now link to the existing configuration if there is already a multi-package repository with the same URL in the organization.
- Organizations that enforce MFA for login, no longer enforce MFA once they are deleted.
- Prevent errors when users double submit the grant team access to packages button
- Security Alert emails now only show up to 250 security issues to avoid memory issues while generating the emails.
- Creating new teams via the API using a name that is already in use, no longer returns a 500 error response.
- The API error response now indicates which property fails the validation if an invalid value is sent for an enum type.
- Creating a new artifact package didn't expand the archive's composer.json file and errored on submit. This has been resolved.
- Improved the render time of the profile page for users that are part of an organization with a lot of subrepositories.
- A successful login via email and password for a user with MFA enabled redirected back to the login page if a first login was not successful. This redirects now to the MFA screen.
- Added an API endpoint to fetch all synchronizations.
- Private Packagist for Vendors users can now group packages in vendor bundles to assign the same packages to many customers
- The list to add organization packages to a subrepository now also shows the package URL and states if the package is abandoned or part of a multi-package repository.
- The packages page now shows private packages, mirrored packages, and packages from subrepositories in a single list.
- Browsing all packages of a mirrored third-party repository will now show them filtered on the packages page.
- Notification channels can no longer be created on the organization security settings page, use the notification channel settings page instead.
- Unauthenticated users trying to access an organization page that requires authentication are now redirected again to their organization's custom login page if a custom integration is configured.
- Multi-packages showed a wrong webhook URL on the package page that would return a 404 response and not update the package.
- The package page now keeps showing the hook URL if the webhook was manually configured.
- Fixed the update review comment link for Bitbucket, GitHub, and GitLab releases for versions where the git tag doesn't match the version specified in the composer.json file.
- The webhook status for packages mirrored from a mirrored third-party repository that isn't supporting automatic updates will now show "not supported" instead of "failed".
- Added an API endpoint to fetch a single team.
- Mirrored third-party repositories returning an empty dist URL as part of the package metadata will no longer break Composer commands.
- The confirm dialog shown when deleting a multi-package repository now only list each package name once, even if some packages were added to a subrepository.
- The packages list now correctly shows errors with the webhook setup, even if the webhook was successfully setup before.
- Granting a vendor customer access to all packages no longer renders an error if the customer already had access to all packages.
- Missing packages mirrored from packagist.org that were added but not updated don't produce a server errors while using Composer commands.
- Editing the minimum stability of a vendor customer or constraints of a package assigned to a vendor customer now invalidates the local Composer cache when using Composer 2.
- Composer 1 commands could produce a server error in case the organization had several thousands of packages causing Composer commands to fail.
- The list of authentication tokens always showed 0 for installs in the last 30 days. This now shows the correct number again.
- Log entries are now created for mirrored third-party repositories when creating/deleting, editing/changing permissions, and adding/removing from a subrepository.
- Subrepository members with edit permissions can now also add all packages where they have edit access to a subrepository.
- Synchronization runs list which repositories were added to or removed from a team.
- Synchronization runs list which members were added to or removed from a team.
- Private Packagist for Vendors users can now see a list of customers that have access to a private package.
- Creating a subrepository now adds packages via a background job, avoiding potential request timeouts.
- Resolved an out of memory issue when adding a package with dependencies to a subrepository.
- A log entry is added when a credential is created during synchronization setup.
- Promoting a user to Owner on GitHub or Administrator Bitbucket can no longer remove the user from synchronized organizations.
- Deleting a vendor customer now shows the name of the customer in the confirm dialog.
- Limitations are correctly shown when granting (or editing) a vendor customer access to a package.
- Versions longer than 255 characters, e.g. branch names longer than 251 characters, are now truncated to 255 characters.
- Filenames for invoices downloaded from the billing history now follow the format Private-Packagist-INVOICEID-YYYY-MM-DD.pdf.
- Organization and subrepository renames (name or URL slug) now create entries in the organization log.
- Creating, editing, and deleting a multi-package repository now creates an entry in the organization log.
- Synchronization errors are not displayed anymore while a synchronization is running.
- After editing a package users are redirected back to the package page instead of the package list.
- Deleting a package, then adding a package with the same name from packagist.org can no longer lead to a stale local Composer cache when using Composer 2.
- Adding a new mirrored third-party repository no longer produces a server error if the HTTP call to validate the mirrored repository errored with a cURL error, e.g. a request timeout.
- Login via OAuth for users that are only part of a single organization directly redirects again to the organization instead to the organization list.
- The error message for failing Bitbucket synchronization states the missing OAuth scopes for the credential again.
- Downloading archive files from the package view page after switching versions works again.
- Organization log entries for synchronization created and deleted now contain additional information about the synchronized remote organization.
- New package entries in the organization log now use clearer values in the "Triggered By" column instead of the generic "Background Job".
- Added missing organization log entries for teams that are created and deleted during a synchronization run.
- Adding a package with its dependencies to a subrepository, didn't add all dependencies to the subrepostory in case over 1000 transitive dependencies where shown.
- Synchronizations with Bitbucket Server were only synchronizing users with direct access to the project. This includes again users with access via a group.
- Existing organization members can now be added to other organization teams by username as well as email.
- After registration, users are asked to enable multi-factor authentication. This is only shown once.
- Added new API endpoints to manage teams and team memberships.
- Added a new API endpoint to list which package versions a customer has been granted access to.
- The API now returns the date a package version was released, if known.
- Log entries for added and edited packages now show additional information such as clone URL, which mirrored third-party repository it was mirrored from, if it's part of a multi-package repository, etc
- Multi-factor authentication has been added to user accounts. Organization owners and admins can enforce MFA for their members.
- Added support for organization owners and admins to add additional synchronizations via integrations for self-hosted versions of GitHub Enterprise, GitLab Self-managed, and Bitbucket Data Center / Server. This was previously only available through support.
- Update Review comments now indicate package versions that have security advisories, including a message if an update introduces package versions with known vulnerabilities.
- Glob expressions for repositories containing multiple packages now support brace expansion (eg,
- API credentials can now have a description
- Added API endpoints to manage authentication tokens
- Security issue notifications webhooks can now be configured to dispatch a separate request for each issue. This allows you to integrate webhooks with Jira.
- Synchronizations with GitHub and GitLab have an option to not synchronize archived VCS repositories. This option is enabled by default for new synchronizations.
- Added support for VCS repositories using the svn+ssh protocol
- Synchronized GitLab repositories with visibility "internal" are now treated the same way as "public" repositories and are available to all members of the organization
- Synchronized VCS repositories can now be added as multi-package repositories via the "Add Package" dialog
- Security advisories for a package are now visible on the package page
- Package versions affected by a security advisory are now highlighted on the package page
- You can edit the description or the username for a credential without re-entering the password or access token
- Synchronizations with GitLab now also recognize individual repository collaborators
- Adding packages by URL now allows you to override the package name to import packages under an old name
- Importing VCS repositories from bitbucket.org doesn't require adding the .git suffix anymore
- Non-synchronized organization members can now be removed from the organization and all teams at once on the members page.
- Subrepository collaborators can now be removed from all subrepositories at once.
- Existing packages can now be edited to be turned into multi-packages (multiple packages in a single repository) without having to recreate them.
- We now support GitLab group webhooks for groups with a GitLab Premium subscription, this will now find new repositories when they are created and not only once the daily full synchronization runs.
- A new log section can be found on the organization settings page, displaying activity in the organization
- Ordering changes on the third party mirrored repository page can now be undone.
- The credentials page now shows a warning if any of your stored GitHub API tokens are about to expire or already expired.
- Installation statistics are now available for organization authentication tokens and on your profile page for your personal authentication token.
- The mirrored third-party repository list now shows in how many subrepositories a mirrored repository is available.
- The user authentication page now shows when the user token was last used
- Collaborators can now be added to subrepositories. They can only access selected subrepositories, but don't have access to the organization
- The modal to add packages from a synchronization and the modal to add packages from an organization to a subrepository now allow you to add multiple packages at once
- The package page now displays a link to the changelog and lists changelog information with the version information
- Synchronizations with GitLab now detect when another group was invited as a member to the synchronized group
- Added API endpoints to list all security issues for a package or an organization
- Added a filter by security issue state to the packages list API endpoint
- The synchronization page now lists active synchronization runs and their current progress
- For packages using a Composer patches plugin like cweagans/composer-patches, the package page now lists patches information defined in the composer.json
- Packages in public repositories are now available to all members of an organization instead of just those with explicitly assigned repository permissions
- Private packages can now be marked as abandoned via the UI
- Abandoned package notifications: Receive notifications when a package is marked as abandoned
- Packages which have their composer.json file in a subdirectory, rather than the root directory, can now be installed with Composer like all other packages
- Synchronizations with Bitbucket now support all Bitbucket workspaces including former user accounts
- The package search now only searches the package name by default. The package description can still be searched as well by selecting the checkbox below the search field.
- Subrepository URLs have been updated to not use the word "projects" anymore
- Packages part of a multi-package repository will now show the README file of their subfolder if available and otherwise fall back to the root directory
- Organizations synchronized with a GitLab Group will now prevent any of its GitLab subgroups from being synchronized. The parent group already imports all data from all subgroups.
- The repository name of a collaborator team is now a link to the VCS repository
- Renamed Bitbucket Teams to workspaces to match the naming on bitbucket.org
- The team members page for synchronized teams now clearly states that memberships are managed through GitHub, GitLab, or Bitbucket and shows where to manage the team
- Artifact packages now ignore the "__MACOSX" folder in ZIP archives generated by the macOS ZIP utility when searching for a composer.json file
- Webhooks are now unregistered on connected code hosting platforms when a package or an organization is deleted
- Packages copied to a subrepository now have a disabled edit button explaining that they can only be edited on the organization level
- Package release notifications: Receive notifications for every new version a package publishes
- Added an API endpoint to upload a new file to an existing artifact package
- Private Packagist for Vendors can now serve customer packages from your own domain
- If your organization is synchronized with GitHub, we will now receive a webhook when you make changes to repository collaborators so they are immediately synchronized to Private Packagist.
- Subrepository quick access: most recently visited subrepositories are shown on organization overview
- You can now upload zip, tar.gz or tar.bz2 archives without composer.json files when creating a custom package
- Dist URLs in lock files have been updated to contain an additional r character to avoid empty filenames if no reference is provided. This means your lock file URLs will change on the next Composer update
- You can now download the archive file for each package version from the package view page
- Full compatibility with Composer 2.0
- API endpoints to create and upload artifact packages based on zip, tar.gz or tar.bz2 archive files
- You can now upload zip, tar.gz or tar.bz2 archives containing code and a composer.json file by adding an artifact package to your organization
- Vendors can now restrict customers to specific package version stabilities like alpha, beta, or RC
- Security Monitoring alerts you via email, Slack, Microsoft Teams or webhook when a security vulnerability is found in one of your dependencies in composer.lock files
- Added API endpoints to manage team package access
- Added API endpoints to create artifact packages
- Added support for the new Composer 2 list endpoint
- You can now rearrange the mirrored repositories to change the order for finding new packages during automatic mirroring
- The synchronization now automatically detects if a vcs repository gets transferred from one synchronization to another synchronization on the same host e.g. from one github.com organization to another github.com organization
- For package archives a download limit of 128MB was introduced. Archive downloads that are larger than the limit will fail, and an error on the package page will be shown.
- The generic package hook endpoint now supports AWS SNS subscription confirmation, enabling easier integration with AWS CodeCommit
- Enabled the new Composer repository format for improved performance on Composer 2
- Added API endpoints to fetch dependents of a package
- The package API endpoint now returns its configuration values: type, url, customJson and mirroredRepository
- The package API endpoint now returns installation statistics
- You can now create a custom package using a form to configure your composer.json metadata instead of manually entering JSON
- You can now create authentication tokens with full update access including the automatic creation of mirrored packages, which are counted as regular users
- A new organization drop down in the top navigation makes it easier to switch between organizations and you can always see which repository you're currently working on
- The packages page now also lists packages with a duplicate name showing a warning that they cannot be installed
- All packages which are replaced in the composer.json of any package you add, are now automatically mirrored to prevent problems with their automatic mirroring during composer update.
- Vendors can now disable their customers which will prevent them from installing assigned packages.
- The packages page has been rebuilt to offer various filters to find packages and displays more package information to quickly detect problems
- To avoid confusion with the Composer package type project, we renamed Private Packagist projects in the Agency Add-On to Subrepositories
- Initializing a Bitbucket git repository with a url like
https://bitbucket.org/acme/repositorywill now automatically transform the url into a valid git url e.g.
- Added install graphs for overall organization installs over time
- Packages marked as abandoned are now visible as such in the UI and show the suggested replacement
- Added a new team permission which lets team members create projects
- Added API endpoints to manage project packages
- Added API endpoints to manage mirrored third party repositories
- Added support for repositories which have a composer.json in any branch and/or tag but not the default branch
- All public repositories added via a synchronization are now available to all members in the organization
- The Magento Composer repository at repo.magento.com occasionally changes dist files after initial publication. We no longer send these checksums to clients, as is already the case in most other places like packagist.org.
- Added a billing history with the possibility to download previous invoices
- The user profile now also shows the username and id of all connected OAuth accounts, e.g. GitHub, GitLab, Bitbucket
- Synchronizations with Bitbucket now also recognize individual repository collaborators
- New organization members added via sync can now automatically be deactivated
- Added a new team permission which lets team members add packages and add, edit and remove credentials and mirrored third party repositories
- When adding a new package one can now already select which teams have access to that package
- Improved the performance of package updates by caching versions without a composer.json
- Renamed the Owners/Admins Team option for authentication tokens to 'All packages'.
- The authentication tokens page now displays when the token was last used.
- Teams with edit access right can now also assign package permissions
- Updating a package url will now also update the source and dist information for all package versions.
- Added an option to override the default request timeout for mirrored Composer repositories
- Performance improvements to granting customers access to packages via API, editing credentials, renaming organizations, projects and customers and deleting packages
- The teams page now always lists the Owners and Admins team for everyone
- Added a search field when adding packages from synchronized repositories and when adding packages from the parent organization to a project
- Synchronizations now list runs during the previous 48 hours and what exactly changed on each run, e.g. new users or repositories
- The team member pages now display more information about each user, in particular the username they use on the service the team is synchronized with
- The API now accepts customer urlNames in addition to customer ids for all API calls requiring lookup of a customer
- The API uses the word "edit" for modifying objects instead of "update" which is usually reserved for reloading package data or the composer instruction
- The warning about being on a free trial now shows the exact date it ends
- Synchronizations can now be triggered by all members of an organization
- Synchronizations show which credential is used to make requests to the external service
- No longer displaying a warning about a missing hook for custom JSON packages which cannot be updated without editing the JSON
- Improved typography and spacing across all pages
- Billing access now works for Admins (non-Owners) who are also on the billing team
- Members of new teams found during synchronization are now added immediately, rather than only on the second synchronization run
- Synchronizations can now be configured on a per-project basis
- You can now grant teams access to view and/or manage vendor add-on customers
- Added settings page for vendor add-on customers and an option to deliver source URLs to customers via Composer
- When importing packages from JSON you can now select credentials to be applied
- You can now switch which of your synchronizations should be the primary one
- Added API endpoints to manage project authentication tokens
- Added support for the Composer search API
- Private Packagist for Agencies: Support for projects with a separate Composer repository, including options for mirrors, credentials and tokens to be defined for just one or a set of projects
- Packages mirrored from packagist.org are now updated automatically within a few seconds of changes on packagist.org rather than only twice a day
- Bitbucket Team hooks are now set up automatically to detect new packages when you create new repositories
- Added API endpoints to manage projects as part of Private Packagist for Agencies
- Added API endpoint to fetch all customers with access to a package as part of Private Packagist for Vendors
- Install statistics and count of accessible packages are now shown on the customers overview page
- Added list of versions to GET package API endpoint
- Managing access to packages for teams now sorts the dropdown of packages and lets you search through them
- Unauthenticated users trying to login are now redirected to their organization's custom login page if a custom integration is configured
- The list of customers is now sorted by name
- Changed body font color to black for more contrast
- Added composer instructions page on the customer detail page in the Private Packagist for Vendors addon
- Warn users if packages are configured to use credentials which do not work for the package's URL
- Improved the package update log output to better display authentication issues
- Package updates which fail because of external API limits are now retried once the limit resets
- Packages now show mirror information
- Synchronizations for existing organizations can now be set up with previously defined credentials
- Allow a user to disconnect from their last connected third party authentication provider
- Improved the speed of mirroring packages from packagist.org
- Authentication tokens assigned to synchronized teams won't be deleted anymore if the team gets removed by the synchronization they lose access to all packages but can be reassigned to a different team
- Improved the performance of package updates by caching version data
- Allow deactivating members who do not have a Private Packagist account yet on the organization members page
Start Free Trial
Login to create an organization and start your free trial!