Composer 2.10 Introduces Native Malware Filtering and New Dependency Policy Framework

Horizontal feature image from The Drop Times. A blue PHP label appears above the headline “Supply Chain Security Comes to Composer.” The deck reads, “Composer 2.10 adds native malware filtering and policy-based dependency controls for PHP projects.” The illustration shows a developer blocking malicious packages while a shield protects against malware-marked package boxes, symbolising Composer's new malware filtering, dependency governance controls, and software supply-chain security protections.

Native malware filtering and a new dependency policy framework headline the Composer 2.10 release, which expands the project's efforts to strengthen software supply chain security across the PHP ecosystem.

Released as part of a broader security initiative for Composer and Packagist, the update introduces malware detection powered by Aikido Security's CC-BY 4.0 licensed threat intelligence feed. Malware filtering is enabled by default for all Packagist users and requires no additional configuration. Package versions identified as malicious are automatically removed from dependency resolution and surfaced through Composer's audit functionality.

The new malware policy is designed to address threats that traditional vulnerability advisories often cannot handle quickly enough, including credential stealers, cryptominers, backdoors, and malicious package releases resulting from compromised maintainer accounts. Composer now blocks flagged malware versions during dependency updates and surfaces them through composer audit. Malware checks also apply during composer install, helping prevent malicious versions from being deployed even when they already exist in a project's lock file.

Composer 2.10 also introduces a unified config.policy framework that consolidates management of malware, security advisories, and abandoned packages under a single configuration system. The framework supports custom organisational policies and external policy sources, allowing teams to define package governance rules beyond Composer's built-in security controls.

Several developer workflow enhancements are included in the release. The composer update --with command now supports wildcard package constraints, allowing updates across entire vendor namespaces. The composer create-project command gains a new --require option for installing additional dependencies during project creation.

The release also begins the deprecation of Composer's automatic source fallback behaviour, which previously attempted source code checkouts when package artifact downloads failed. Maintainers said the automatic fallback can create unintended security and workflow issues in some repository configurations, including scenarios where source checkouts may bypass vetted package artifacts. The capability remains available through explicit configuration in Composer 2.10 but is scheduled for removal as a fallback mechanism in version 2.11.

Beyond the new policy framework, Composer 2.10 includes several security hardening measures. The release improves URL filtering to reduce token leakage risks, strengthens HTTPS validation, fixes handling of Git credentials after failed repository operations, and enforces plugin security controls more consistently for older lock files.

Additional improvements include reduced memory usage in PoolOptimizer, optimised plugin autoloading, updates to version constraint bumping behaviour, and a new --strict-psr-autoloader option for install and update commands. Composer maintainers said the release forms part of a wider effort to improve security protections for open source package ecosystems increasingly targeted by supply chain attacks.

Reference: Composer 2.10 Release (28 May 2026)

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.

Upcoming Events