認証情報アクセス
Reads auth.json, repository tokens, environment variables, and project config.
brew
composer のインストール経路、実行ファイル、メタデータ、AI エージェント向けセキュリティノートを確認します。
エージェント安全性
composer manages PHP dependencies and package publishing workflows.
Reads auth.json, repository tokens, environment variables, and project config.
Can install packages and run scripts that affect remote systems.
Can publish packages or build deployable PHP artifacts.
Gate scripts, publish operations, and credentialed repository access.
Allow dependency inspection; require approval for scripts, publishes, and private-repo credentials.
インストール
brew install composerlocal Homebrew formula metadata
sudo apk add composerAlpine Linux edge package indexes · composer · ソース: dl-cdn.alpinelinux.org
sudo apt install composerDebian stable package indexes · composer · ソース: deb.debian.org
sudo dnf install composerFedora Rawhide package metadata · composer · ソース: dl.fedoraproject.org
sudo pacman -S composerArch Linux sync databases · composer · ソース: geo.mirror.pkgbuild.com
sudo zypper install php-composeropenSUSE Tumbleweed package metadata · php-composer · ソース: download.opensuse.org
choco install composerChocolatey community package catalog · composer · ソース: community.chocolatey.org
scoop install main/composerScoop official bucket manifest trees · bucket/composer.json · ソース: api.github.com
概要
Dependency Manager for PHP
履歴
Composer is the standard dependency manager for PHP projects. It lets projects declare library dependencies, resolves installable versions, and installs packages into the project rather than acting like a system package manager.
Composer was created by Nils Adermann and Jordi Boggiano and released under the MIT license. Official documentation describes it as inspired by npm and Bundler, bringing per-project dependency resolution and installation to PHP. Packagist serves as the public package index for Composer packages.
Packagist records `composer/composer` package versions starting with 1.0.0-alpha1 in 2012, and GitHub releases include 1.0.0-alpha1 in 2013. The official README points users to Packagist for public packages and to Private Packagist for private hosting, showing how Composer became both a CLI and a package ecosystem.
Normal Composer usage starts with a project `composer.json`, produces a lock file for reproducible installs, and installs dependencies into `vendor`. It can be installed locally as a PHAR, globally on PATH, through Docker, or through OS package managers such as Homebrew.
Composer is package-manager infrastructure, not just a CLI. Its resolver, lock file, Packagist integration, authentication model, and VCS support made PHP packages installable with dependency constraints in a way familiar to users of npm, Bundler, and other language package managers.
セキュリティ状態
infrastructure mutation or orchestration signal.
リスク orange · 信頼度 中 · infrastructure
エージェントに無人実行させる前に、このツールが平文の認証情報を読むか、リモート状態を書き込むか、成果物を公開するか、プラグインを起動するかを確認してください。
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Credential-bearing paths to review before unattended agent runs.
~/Library/Application Support/Composer/auth.json$XDG_CONFIG_HOME/composer/auth.json~/.composer/auth.json実行可能ファイル
| コマンド | 種類 | 公開範囲 | メモ |
|---|---|---|---|
composer | cli | グローバル実行可能ファイル |
鮮度
これらの信号は、ページ生成時期、パッケージマネージャの活動、上流リリース比較を分けて示します。バージョン遅れは、証拠 URL と比較可能なバージョンがある場合だけ警告されます。
インストールメタデータ
| パッケージキー | brew:composer |
|---|---|
| バージョン | 2.10.2 |
| パッケージマネージャ | Homebrew |
| パッケージマネージャページ | https://formulae.brew.sh/formula/composer |
| ホームページ | https://getcomposer.org/ |
| リポジトリ | https://github.com/composer/composer |
| 上流ドキュメント | https://getcomposer.org/doc |
| ライセンス | MIT |
| ソースアーカイブ | https://getcomposer.org/download/2.10.2/composer.phar |
| 最終更新 | 2026-07-01T13:09:12Z |
| Pulse | updated |
| 依存関係 | php |
| Bottle | 利用可能 (対象 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | 未定義 |
| サービス | 宣言なし |
レジストリ情報
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | composer |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
ソースデータベース一致
一致は外部パッケージマネージャインデックスから取得され、ローカルの Automic Vault パッケージリンクとは分けて表示されます。
composer 2.8.8-1+deb13u2
dependency manager for PHP
sudo apt install composercomposer 2.7.1-2
dependency manager for PHP
sudo apt install composercomposer 2.10.1-r0
Dependency manager for PHP
sudo apk add composercomposer-bash-completion 2.10.1-r0
Bash completions for composer
sudo apk add composer-bash-completioncomposer 2.10.1-1.fc45
Dependency Manager for PHP
sudo dnf install composercomposer 2.10.1-1
Dependency Manager for PHP
sudo pacman -S composerphp-composer 1.10.26-2.7
Dependency Management for PHP
sudo zypper install php-composerphp-composer2 2.10.0-1.1
Dependency Management for PHP
sudo zypper install php-composer2composer
choco install composermain/composer
scoop install main/composerソース経路
このページは scripts/generate-pkg-sqlite.py が生成した非公開のパッケージ SQLite アーティファクトから av-web によって提供されます。
View the package source record on GitHub.