Composer Soak Time
Overview
Usually, supply chain attacks are quickly detected by scanners like socket.dev or aikido. You could still hit that fresh release tho. This package enforces a minimum age, so you can’t be. It’s like npm’s min-release-age, but for composer.
We go even further, since a date filter alone is defeatable. An attacker could force-push an old tag with a backdated commit date. At least if not hosted by packagist. We create a composer-integrity.lock and make sure we minimize any threat.
Main protection mechanisms
Timestamp filter: drop fresh releases.
Reference drift: a backdated tag is detected by the content-addressed SHA.
Hash pinning: re-hashes every downloaded archive to secure against cache poisioning.
Installation
composer require --dev innobrain/soak-time # one project
composer global require innobrain/soak-time # all local projectsThe default soak time is set to 7 days. You can whitelist trusted vendors, declare mutable dev branches, or skip the filter for one package when you need a security patch now:
// Skip
SOAK_TIME_SKIP=vendor/package composer update vendor/package
// Lower time
SOAK_TIME_HOURS=24 composer update vendor/packageCredits
Fork of cotonet/soak-time by Cotonet - Resiliência Digital. MIT.