Composer Security Update (CVE-2021-29472)

News

April 27th, 2021

packagist-leader.jpg

Composer had a security vulnerability reported (CVE-2021-29472) and a new version has been released to address this. Everyone should run composer self-update to get v2.0.13 which includes the fix.

According to their announcment:

As a precaution after updating Composer we recommend you audit your composer.lock files to ensure they only contain URLs and none which start with -- , e.g. --config and could be considered command line options. Should you find any such URL values despite our belief that this vulnerability was not exploited in the wild, please contact us immediately by email to security@packagist.org.

In general we always recommend you review changes you make to your lock files to ensure no untrusted dependencies or external URLs are introduced to your application. Please note that Packagist.org is only a metadata server and package contents are downloaded from a location chosen by the package maintainers. Private Packagist will store copies of mirrored package contents, so Composer can download them from there, but the lock files will still contain the maintainers' original URLs for reference and as a fallback.

Read more about this in the Packagist official announcement

Filed in:

Eric L. Barnes

Eric is the creator of Laravel News and has been covering Laravel since 2012.