Composer 2.9: Automatic security check for TYPO3

Packagist has released Composer 2.9.0 - with three features that make everyday work in TYPO3 projects noticeably easier. In particular, the automatic security check and the new repository management via CLI are practical improvements for developers and agencies.

Automatic blocking of insecure packages

As of version 2.9, Composer blocks updates to packages with known security vulnerabilities by default. Anyone running composer update will receive a warning if an update would lead to a vulnerable version.

This is particularly relevant for TYPO3 projects: Extensions and dependencies with security advisories are automatically recognized. This reduces the risk of inadvertently deploying vulnerable versions in production environments.

The feature can be configured via audit.block-insecure in composer.json. If you wish, you can also activate audit.block-abandoned - packages whose development has been discontinued will then also be blocked.

This function supplements the existing composer audit command, which can be used to check an installed composer.lock file for vulnerabilities.

Practical example: A TYPO3 agency with dozens of customer projects can use audit.block-insecure to centrally ensure that no vulnerable packages are installed during monthly composer updates. This reduces the risk of attracting negative attention during security audits by the customer.

Repository management directly via CLI

Previously, you had to manually edit composer.json or use composer config for new repositories. As of version 2.9, there are new, dedicated CLI commands for this:

composer repo add myagency-extensions vcs github.com/myagency/typo3-extensions
composer repo add company-satis composer composer.mycompany.com
composer repo list
composer repo remove myagency-extensions

Repositories are now stored as JSON arrays with name properties - this makes administration clearer and allows individual repos to be targeted. With --after, the order of the repositories can be defined directly when adding them.

Automatically resolve lock file conflicts

If you work in a team, you may be familiar with the problem: after a merge, the composer.lock has conflicts. Composer 2.9 can automatically resolve simple conflicts (only for content-hash).

A composer update --lock or a normal update ignores the Git conflict markers and writes a clean lock file. This saves manual conflict resolution and reduces sources of error in the deployment process.

Important: Automatic conflict resolution only works for simple conflicts (content-hash). For more complex merge conflicts in the package definitions themselves, manual resolution is still necessary.

For TYPO3 agencies with several developers working on the same project, this really makes work easier.

Update to Composer 2.9

The update is uncomplicated:

composer self-update
composer --version # should display 2.9.x

DDEV projects: DDEV users will probably receive Composer 2.9 automatically with one of the next DDEV updates.

Conclusion

Composer 2.9 does not bring any revolutionary features, but three solid improvements for everyday project work. The automatic security check is particularly relevant for agencies that maintain client projects. The CLI repository management saves time on recurring tasks. And the lock file conflict solution reduces friction in the team workflow.

For TYPO3 projects already working with Composer, the update is straightforward - and the new features work out-of-the-box. If you want to further optimize your deployment workflows, you can find practical strategies for GitHub Actions and Deployer in TYPO3 projects in the deployment webinar.

Source: Composer 2.9 release announcement