Loading... Background job is running.

Update Review

When you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table.

Update Review is available for synchronization with GitHub, Bitbucket and GitLab as well as GitHub Enterprise, self-managed GitLab and Bitbucket Data Center / Server.

Start Free Trial

Get in touch with us. Send an E-Mail to contact@packagist.com or chat with us.

Screenshot of GitHub pull request with a comment by the Private Packagist bot

Review dependency changes with confidence with Private Packagist

You run composer update and open a pull request with including composer.lock changes

We post a human-readable summary comment with all dependency changes on the pull request

You can review the update with ease and don't have to fear approving any inadvertent dependency changes

Two screenshots of a GitHub pull request side by side in dark mode. The first one shows the comment created by Private Packagist and the second one shows a long diff between two JSON composer.lock files.

The Private Packagist Update Review experience

See all dependency changes at a glance when you open a pull request. No need to scroll through hundreds of lines of JSON diffs to try to figure out what is going on. Instead, focus on the important information and use links to code diffs between package versions and relevant changelog entries to assess the impact on your application. You don't have to browse websites, search documentation files or look for changelog files in git repositories, we'll take care of that for you!

Screenshot of the changelog of the package bitbucket/client in Private Packagist

Your dependencies are a potential attack vector

Modern applications are built on top of many third party dependencies. And yet, reviewing changes to these dependencies is often neglected or skipped entirely because the task is so tedious. Changes to dependencies introduced by a composer update can have inadvertent consequences. An upgrade of a dependency of a dependency may introduce unnoticed backward compatibility breaks, causing bugs in your application, or introduce new untrusted dependencies. We recommend to always carefully review your dependency changes, and update less packages at a time but more frequently to reduce the complexity and risk of individual updates.

Two screenshots of a GitHub pull request side by side. The first one shows the comment created by Private Packagist and the second one shows a long diff between two JSON composer.lock files.

Read what our customers think

We love it! With the Private Packagist Update Review, we can quickly see what has changed in our lock file and not worry about unexpected consequences.

Rafael Dohms
Momentive

We are happy about the Private Packagist bot commenting to help us make sure we don’t accidentally commit dependency updates.
Additionally it gives us a great overview of the changes in the composer.lock in a human readable form.

Markus Staab
Complex

So far we've enjoyed using the feature and it simplifies a great deal the pull requests involving composer dependency updates. With 3 lines one can easily see what's actually changed in an otherwise hard to read change set.

Constantin Șerban-Rădoi
GetYourGuide

Finally, there is no need to manually parse the composer.lock file changes any more! Just read through the automatically generated comment and you know exactly what has been added / upgraded / downgraded / removed. Having direct links to the respective diff and changelog is quite handy as well to quickly check what is included in the respective change.

Simon Sprankel
CustomGento

Do you have any questions or are you missing anything? Contact us at contact@packagist.com or chat with us.