Automic VaultAutomic Vault

brew

使用 Homebrew, apk, chocolatey, apt, dnf, pacman, scoop, zypper 安装 composer

查看 composer 的安装路径、可执行文件、元数据以及面向 AI 代理工作流的安全说明。

代理安全

代理安全回答

composer manages PHP dependencies and package publishing workflows.

凭据访问

Reads auth.json, repository tokens, environment variables, and project config.

远程变更

Can install packages and run scripts that affect remote systems.

发布/制品风险

Can publish packages or build deployable PHP artifacts.

推荐控制

Gate scripts, publish operations, and credentialed repository access.

代理使用指南

Allow dependency inspection; require approval for scripts, publishes, and private-repo credentials.

安装

其他安装命令

macOS

Homebrew已验证 · 100%
brew install composer

local Homebrew formula metadata

Linux

Alpine Linux apk已验证 · 92%
sudo apk add composer

Alpine Linux edge package indexes · composer · 来源: dl-cdn.alpinelinux.org

Debian apt已验证 · 92%
sudo apt install composer

Debian stable package indexes · composer · 来源: deb.debian.org

Fedora dnf已验证 · 92%
sudo dnf install composer

Fedora Rawhide package metadata · composer · 来源: dl.fedoraproject.org

Arch Linux pacman已验证 · 92%
sudo pacman -S composer

Arch Linux sync databases · composer · 来源: geo.mirror.pkgbuild.com

openSUSE zypper已验证 · 92%
sudo zypper install php-composer

openSUSE Tumbleweed package metadata · php-composer · 来源: download.opensuse.org

Windows

Chocolatey已验证 · 92%
choco install composer

Chocolatey community package catalog · composer · 来源: community.chocolatey.org

Scoop已验证 · 92%
scoop install main/composer

Scoop official bucket manifest trees · bucket/composer.json · 来源: api.github.com

概览

软件包摘要

Dependency Manager for PHP

命令和别名

  • composer

历史

项目历史与用法

Composer is the standard dependency manager for PHP projects. It lets projects declare library dependencies, resolves installable versions, and installs packages into the project rather than acting like a system package manager.

项目历史

Composer was created by Nils Adermann and Jordi Boggiano and released under the MIT license. Official documentation describes it as inspired by npm and Bundler, bringing per-project dependency resolution and installation to PHP. Packagist serves as the public package index for Composer packages.

采用历史

Packagist records `composer/composer` package versions starting with 1.0.0-alpha1 in 2012, and GitHub releases include 1.0.0-alpha1 in 2013. The official README points users to Packagist for public packages and to Private Packagist for private hosting, showing how Composer became both a CLI and a package ecosystem.

使用方式

Normal Composer usage starts with a project `composer.json`, produces a lock file for reproducible installs, and installs dependencies into `vendor`. It can be installed locally as a PHAR, globally on PATH, through Docker, or through OS package managers such as Homebrew.

为什么软件包爱好者会关心

Composer is package-manager infrastructure, not just a CLI. Its resolver, lock file, Packagist integration, authentication model, and VCS support made PHP packages installable with dependency constraints in a way familiar to users of npm, Bundler, and other language package managers.

时间线

  • 2012: Packagist records `composer/composer` 1.0.0-alpha1.
  • 2013: GitHub releases include Composer 1.0.0-alpha1.
  • 2016: Composer 1.0.0 was released.
  • 2020: Composer 2.0.0 was released.
  • 2026: Packagist continues to track active Composer 2.x development.

Related projects

  • Composer is closely tied to Packagist, Private Packagist, PHP's PHAR distribution model, and language package managers such as npm and Bundler that influenced its design.

安全态势

风险级别:orange

infrastructure mutation or orchestration signal.

风险分类器

orange 风险 · 中 置信度 · infrastructure

原因

  • infrastructure mutation or orchestration signal

信号

  • text:dependency manager

安装行为

  • formula 元数据中未记录 Homebrew post-install 钩子。
  • Homebrew bottle 元数据适用于 6 个平台目标。
  • 安装时包含 1 个运行时依赖。

建议审查

在无人值守的代理使用前,请检查该工具是否读取明文凭据、写入远程状态、发布制品或调用插件。

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Credential files

Credential-bearing paths to review before unattended agent runs.

macOS
~/Library/Application Support/Composer/auth.json
Unix
$XDG_CONFIG_HOME/composer/auth.json~/.composer/auth.json

可执行文件

已安装的可执行文件

命令类型暴露范围备注
composercli全局可执行文件

新鲜度

版本和新鲜度

这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。

页面生成时间2026-07-10
管理器版本2.10.2
管理器更新时间2026-07-01
本地数据OK
上游not checked
检测到的最新版本未检测到

https://getcomposer.org/

安装元数据

软件包元数据

软件包键brew:composer
版本2.10.2
软件包管理器Homebrew
软件包管理器页面https://formulae.brew.sh/formula/composer
主页https://getcomposer.org/
仓库https://github.com/composer/composer
上游文档https://getcomposer.org/doc
许可证MIT
源码归档https://getcomposer.org/download/2.10.2/composer.phar
最后更新2026-07-01T13:09:12Z
Pulseupdated
依赖php
Bottle可用 (于 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-install未定义
服务未声明

注册表事实

源数据库详情

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecomposer
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

源数据库匹配

其他软件包管理器记录

匹配项来自外部软件包管理器索引,并与本地 Automic Vault 软件包链接分开显示。

Debian apt95%

composer 2.8.8-1+deb13u2

dependency manager for PHP

https://getcomposer.org/

sudo apt install composer
  • Section: php
  • Architecture: all
  • 18 依赖
  • 10 可选依赖
  • normalized package name match
  • 匹配方式:Composer
Debian stable package indexes · deb.debian.org · Debian stable package indexes: composer from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Ubuntu apt95%

composer 2.7.1-2

dependency manager for PHP

https://getcomposer.org/

sudo apt install composer
  • Section: universe/php
  • Architecture: all
  • 18 依赖
  • 10 可选依赖
  • normalized package name match
  • 匹配方式:Composer
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: composer from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
apk95%

composer 2.10.1-r0

Dependency manager for PHP

https://getcomposer.org/

sudo apk add composer
  • License: MIT
  • Architecture: x86_64
  • Source Package: composer
  • 1 依赖
  • 1 提供
  • normalized package name match
  • 匹配方式:Composer
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: composer from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
apk95%

composer-bash-completion 2.10.1-r0

Bash completions for composer

https://getcomposer.org/

sudo apk add composer-bash-completion
  • License: MIT
  • Architecture: x86_64
  • Source Package: composer
  • normalized package name match
  • 匹配方式:Composer
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: composer-bash-completion from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
dnf95%

composer 2.10.1-1.fc45

Dependency Manager for PHP

https://getcomposer.org/

sudo dnf install composer
  • License: MIT
  • Category: Unspecified
  • Architecture: noarch
  • Source Package: composer
  • 27 依赖
  • 4 提供
  • normalized package name match
  • 匹配方式:Composer
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: composer from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
pacman95%

composer 2.10.1-1

Dependency Manager for PHP

https://getcomposer.org/

sudo pacman -S composer
  • License: MIT
  • Architecture: any
  • 2 依赖
  • normalized package name match
  • 匹配方式:Composer
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: composer from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

php-composer 1.10.26-2.7

Dependency Management for PHP

https://getcomposer.org/

sudo zypper install php-composer
  • License: MIT
  • Category: Development/Libraries/Other
  • Architecture: noarch
  • Source Package: php-composer
  • 8 依赖
  • 5 提供
  • normalized package name match
  • 匹配方式:Composer
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: php-composer from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

php-composer2 2.10.0-1.1

Dependency Management for PHP

https://getcomposer.org/

sudo zypper install php-composer2
  • License: MIT
  • Category: Development/Libraries/Other
  • Architecture: noarch
  • Source Package: php-composer2
  • 8 依赖
  • 4 提供
  • normalized package name match
  • 匹配方式:Composer
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: php-composer2 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
Chocolatey95%

composer

choco install composer
  • normalized package name match
  • 匹配方式:Composer
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: composer from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','cmake.portable'
Scoop95%

main/composer

scoop install main/composer
  • normalized package name match
  • 匹配方式:Composer
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/composer.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

来源线索

由仓库数据生成

此页面由 av-webscripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。

使用的来源

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated agent safety answer
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment