凭据访问
Reads auth.json, repository tokens, environment variables, and project config.
代理安全
composer manages PHP dependencies and package publishing workflows.
Reads auth.json, repository tokens, environment variables, and project config.
Can install packages and run scripts that affect remote systems.
Can publish packages or build deployable PHP artifacts.
Gate scripts, publish operations, and credentialed repository access.
Allow dependency inspection; require approval for scripts, publishes, and private-repo credentials.
安装
brew install composerlocal Homebrew formula metadata
sudo apk add composerAlpine Linux edge package indexes · composer · 来源: dl-cdn.alpinelinux.org
sudo apt install composerDebian stable package indexes · composer · 来源: deb.debian.org
sudo dnf install composerFedora Rawhide package metadata · composer · 来源: dl.fedoraproject.org
sudo pacman -S composerArch Linux sync databases · composer · 来源: geo.mirror.pkgbuild.com
sudo zypper install php-composeropenSUSE Tumbleweed package metadata · php-composer · 来源: download.opensuse.org
choco install composerChocolatey community package catalog · composer · 来源: community.chocolatey.org
scoop install main/composerScoop official bucket manifest trees · bucket/composer.json · 来源: api.github.com
概览
Dependency Manager for PHP
历史
Composer is the standard dependency manager for PHP projects. It lets projects declare library dependencies, resolves installable versions, and installs packages into the project rather than acting like a system package manager.
Composer was created by Nils Adermann and Jordi Boggiano and released under the MIT license. Official documentation describes it as inspired by npm and Bundler, bringing per-project dependency resolution and installation to PHP. Packagist serves as the public package index for Composer packages.
Packagist records `composer/composer` package versions starting with 1.0.0-alpha1 in 2012, and GitHub releases include 1.0.0-alpha1 in 2013. The official README points users to Packagist for public packages and to Private Packagist for private hosting, showing how Composer became both a CLI and a package ecosystem.
Normal Composer usage starts with a project `composer.json`, produces a lock file for reproducible installs, and installs dependencies into `vendor`. It can be installed locally as a PHAR, globally on PATH, through Docker, or through OS package managers such as Homebrew.
Composer is package-manager infrastructure, not just a CLI. Its resolver, lock file, Packagist integration, authentication model, and VCS support made PHP packages installable with dependency constraints in a way familiar to users of npm, Bundler, and other language package managers.
安全态势
infrastructure mutation or orchestration signal.
orange 风险 · 中 置信度 · infrastructure
在无人值守的代理使用前,请检查该工具是否读取明文凭据、写入远程状态、发布制品或调用插件。
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Credential-bearing paths to review before unattended agent runs.
~/Library/Application Support/Composer/auth.json$XDG_CONFIG_HOME/composer/auth.json~/.composer/auth.json可执行文件
| 命令 | 类型 | 暴露范围 | 备注 |
|---|---|---|---|
composer | cli | 全局可执行文件 |
新鲜度
这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。
安装元数据
| 软件包键 | brew:composer |
|---|---|
| 版本 | 2.10.2 |
| 软件包管理器 | Homebrew |
| 软件包管理器页面 | https://formulae.brew.sh/formula/composer |
| 主页 | https://getcomposer.org/ |
| 仓库 | https://github.com/composer/composer |
| 上游文档 | https://getcomposer.org/doc |
| 许可证 | MIT |
| 源码归档 | https://getcomposer.org/download/2.10.2/composer.phar |
| 最后更新 | 2026-07-01T13:09:12Z |
| Pulse | updated |
| 依赖 | php |
| Bottle | 可用 (于 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | 未定义 |
| 服务 | 未声明 |
注册表事实
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | composer |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
源数据库匹配
匹配项来自外部软件包管理器索引,并与本地 Automic Vault 软件包链接分开显示。
composer 2.8.8-1+deb13u2
dependency manager for PHP
sudo apt install composercomposer 2.7.1-2
dependency manager for PHP
sudo apt install composercomposer 2.10.1-r0
Dependency manager for PHP
sudo apk add composercomposer-bash-completion 2.10.1-r0
Bash completions for composer
sudo apk add composer-bash-completioncomposer 2.10.1-1.fc45
Dependency Manager for PHP
sudo dnf install composercomposer 2.10.1-1
Dependency Manager for PHP
sudo pacman -S composerphp-composer 1.10.26-2.7
Dependency Management for PHP
sudo zypper install php-composerphp-composer2 2.10.0-1.1
Dependency Management for PHP
sudo zypper install php-composer2composer
choco install composermain/composer
scoop install main/composer来源线索
此页面由 av-web 从 scripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。
View the package source record on GitHub.