Loading... Background job is running.
When you update your dependencies in a pull request, Private Packagist comments with all composer.lock changes displayed in a clear and easy to scan table.
Update Review is available for synchronization with GitHub, Bitbucket and GitLab as well as GitHub Enterprise, self-managed GitLab and Bitbucket Data Center / Server.
Review dependency changes with confidence with Private Packagist
You run composer update and open a pull request with including composer.lock changes
We post a human-readable summary comment with all dependency changes on the pull request
You can review the update with ease and don't have to fear approving any inadvertent dependency changes
The Private Packagist Update Review experience
See all dependency changes at a glance when you open a pull request. No need to scroll through hundreds of lines of JSON diffs to try to figure out what is going on. Instead, focus on the important information and use links to code diffs between package versions and relevant changelog entries to assess the impact on your application. You don't have to browse websites, search documentation files or look for changelog files in git repositories, we'll take care of that for you!
Your dependencies are a potential attack vector
Modern applications are built on top of many third party dependencies. And yet, reviewing changes to these dependencies is often neglected or skipped entirely because the task is so tedious. Changes to dependencies introduced by a composer update can have inadvertent consequences. An upgrade of a dependency of a dependency may introduce unnoticed backward compatibility breaks, causing bugs in your application, or introduce new untrusted dependencies. We recommend to always carefully review your dependency changes, and update less packages at a time but more frequently to reduce the complexity and risk of individual updates.
Read what our customers think
We love it! With the Private Packagist Update Review, we can quickly see what has changed in our lock file and not worry about unexpected consequences.
We are happy about the Private Packagist bot commenting to help us make sure we don’t accidentally commit dependency updates.
Additionally it gives us a great overview of the changes in the composer.lock in a human readable form.
So far we've enjoyed using the feature and it simplifies a great deal the pull requests involving composer dependency updates. With 3 lines one can easily see what's actually changed in an otherwise hard to read change set.
Finally, there is no need to manually parse the composer.lock file changes any more! Just read through the automatically generated comment and you know exactly what has been added / upgraded / downgraded / removed. Having direct links to the respective diff and changelog is quite handy as well to quickly check what is included in the respective change.