#packagist

Six counterfeit PHP themes on Packagist hid malicious code inside fake jQuery files, silently siphoning visitor data and funnelling mobile users to gambling sites through infrastructure run by a US-sanctioned cybercrime network.

Source: Socket

Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Home › Vulnerabilities Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack By Ionut Arghire on October 04, 2022 Tweet Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community. Packagist is the default repository for PHP dependency manager…

Packagist.org 要搬到 AWS 上…

Packagist 打算把服務丟上 AWS：「An Update on Packagist.org Hosting」。

We decided to migrate the packagist.org website to AWS as well, including the database, metadata update workers, etc. This makes it much easier to build a highly-available setup, where machines can be rebooted or even rebuilt safely without bringing down the whole site.

不知道會搬多少上去… 目前 .com 的 packagist.com 已經上 AWS 了，但 packagist.org與主要的流量來源

PHP {7.1,7.0,5.6} 總算成為主流了…

PHP {7.1,7.0,5.6} (至少有安全性支援的版本) 佔了 90% 以上的量… 至少是有用 Composer 族群的主流了：「PHP Versions Stats – 2017.2 Edition」。 All versions Grouped PHP 7.1.10 11.63% PHP 7.1 36.63% (+18.99) PHP 7.0.22 7.95% PHP 7.0 30.76% (-5.36) PHP 5.6.31 7.38% PHP 5.6 23.28% (-8.16) PHP 5.6.30 7.23% PHP 5.5 6.11% (-4.5) PHP 7.0.24 5.45% PHP 5.4 1.51% (-1.6) PHP 7.1.11 4.55% PHP 5.3 0.76% (-0.22) 可以看出大家都在往 PHP 7.1 推了…

從 PHP 網站上的「Supported Versions」與「Unsupported Branches」可以看到今年九月初 PHP 5.4 就已經停止維護了 (包括安全性更新也停了)。 在「PHP Versions Stats – 2015 Edition」這邊利用 Packagist 的資料分析，還是可以看到很多人用 PHP 5.3 與 PHP 5.4： 唔，很符合 PHP 社群以及各家 hosting 萬年不更新的使用習慣…？