Page MenuHomePhabricator

Why doesn't Phabricator (or Arcanist, or libphutil) support Composer?
Open, NormalPublic


We are not satisfied with the security model of Composer. We believe a package manager has a substantial burden to protect and inform users, and that Composer currently fails to uphold that burden.

When you type composer require package/name, you implicitly trust both and the package owner on, who is unverifiable and not vetted. This default chain of trust is not made obvious to many users, and the package upstream may be essentially uninvolved. The circumstances in which makes package changes are not documented, the changes are not signed, and these changes are not auditable. Package owners on are not verifiable, changes they make are not signed, and their changes are not auditable. There is no chain of trust between the package upstream and None of this is very clear to the average user.

You can find more details on a specific case of this at:

We may support Composer in the future, but this upstream's attitudes toward security are currently very different from Composer's attitudes toward security.

We understand that a lot of users don't care about this, and Composer works well and is easy to use, but this is important to us.

Event Timeline

epriestley renamed this task from Why doesn't Phabricator/arcanist/libphutil support Composer? to Why doesn't Phabricator (or Arcanist, or libphutil) support Composer?.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Guides.
epriestley added a subscriber: epriestley.

You guys could always host the composer package from github and just document how to install directly from phabricator's github instead of packagist.

Not exactly related, but PEAR got compromised:

See also the 35 NPM issues every week.