Preventing Dependency Confusion in PHP with Composer The probl | Amazing PHP
Preventing Dependency Confusion in PHP with Composer The problem boils down to companies referencing internal packages by name, e.g. "my-internal-package" and an attacker then publishing a package by the same name "my-internal-package" with a higher version number on the central registry / package repository for that language (for PHP that would be packagist.org). The companies then installed and ran these malicious packages instead of their internal packages because their package manager chose the higher version number from the default package repository over their internal repository.
Welcome to the Amazing PHP Channel! Here you can find a lot of interesting articles/news about PHP, frameworks, tools and development. Support the channel: https://www.paypal.com/donate?hosted_button_...
