Schedule FrOSCon 2026

Lecture

Supply Chain Security in the PHP Ecosystem

August 15, 2026 HS 7 en Security

Every modern PHP application is built on a foundation of third-party packages, each with its own dependencies and its own trust assumptions. Recent supply chain attacks in neighbouring ecosystems have made it painfully clear that what ends up in your vendor directory matters as much as the code you write yourself.

For years, the PHP ecosystem relied on informal tooling to keep vulnerable packages out: reports printed after an install had already completed, and a clever abuse of the dependency resolver's conflict rules to make known-bad versions uninstallable. Recent Composer versions have replaced both with something stronger: advisory enforcement has moved into the resolver itself, and the same machinery has been generalised so that malware flags, policy rules, and whatever category comes next can plug into the same pipeline.

This talk walks through the PHP software stack's supply chain from the bottom up. Where does advisory data come from, and how is it aggregated? How do resolver-level blocking and filter lists actually work? How do they relate to, and supersede, the older tooling? Where can the new defaults bite you in ways a passive audit never did? And what should both application developers and maintainers do today?

Every modern PHP application is built on a foundation of third-party packages, each with its own dependencies and its own trust assumptions. Recent supply chain attacks in neighbouring ecosystems have made it painfully clear that what ends up in your vendor directory matters as much as the code you write yourself.

For years, the PHP ecosystem relied on informal tooling to keep vulnerable packages out: reports printed after an install had already completed, and a clever abuse of the dependency resolver's conflict rules to make known-bad versions uninstallable. Recent Composer versions have replaced both with something stronger: advisory enforcement has moved into the resolver itself, and the same machinery has been generalised so that malware flags, policy rules, and whatever category comes next can plug into the same pipeline.

This talk walks through the PHP software stack's supply chain from the bottom up. Where does advisory data come from, and how is it aggregated? How do resolver-level blocking and filter lists actually work? How do they relate to, and supersede, the older tooling? Where can the new defaults bite you in ways a passive audit never did? And what should both application developers and maintainers do today?