skip to content
KA
recent (5)
Composer Fix Composer Soak Time Statamic Context CLI Livewire Chat Den Verstand Erobern - Naval Ravikant & Kapil Gupta
No results found

05 entries

Composer Soak Time

Overview

Usually, supply chain attacks are quickly detected by scanners like socket.dev or aikido. You could still hit that fresh release tho. This package enforces a minimum age, so you can’t be. It’s like npm’s min-release-age, but for composer.

We go even further, since a date filter alone is defeatable. An attacker could force-push an old tag with a backdated commit date. At least if not hosted by packagist. We create a composer-integrity.lock and make sure we minimize any threat.

Main protection mechanisms

  • Timestamp filter: drop fresh releases.

  • Reference drift: a backdated tag is detected by the content-addressed SHA.

  • Hash pinning: re-hashes every downloaded archive to secure against cache poisioning.

Installation

composer require --dev innobrain/soak-time   # one project
composer global require innobrain/soak-time  # all local projects

The default soak time is set to 7 days. You can whitelist trusted vendors, declare mutable dev branches, or skip the filter for one package when you need a security patch now:

// Skip
SOAK_TIME_SKIP=vendor/package composer update vendor/package

// Lower time
SOAK_TIME_HOURS=24 composer update vendor/package

Credits

Fork of cotonet/soak-time by Cotonet - Resiliência Digital. MIT.