> doesn't have many of the security problems that plague NPM
Is that true? How so?
I'm a long-time PHP dev, but of the issues I can recall regarding NPM, including the recent controversy related to the invasion of Ukraine, I don't see how that sort of thing couldn't happen with Composer some day, and it might just be a matter of time; that it hasn't yet has more to do with the relative ecosystems of the two languages and the developers they attract than anything technical, in my opinion. But I'd love to be proven wrong.
With NPM, what's actually published is not what's in the git repo, so it's harder to inspect/review vulnerabilities or hijacking. With composer, what's in git _is_ what composer pulls (with the exception of rules in .gitattributes to exclude files etc), making it much easier to trace. One such example: https://github.com/faisalman/ua-parser-js/issues/536
Composer packages also don't tend to have the "culture" of having a million tiny packages for small functions like left-pad, so that helps a ton too. Mostly because PHP's stdlib is pretty great by default, so lots of things like this don't require 3rd-party libs.
Obviously Composer isn't bullet-proof, someone controlling a dependency of an important project can still cause harm by making a minor version release with malicious code, but it's easier to vet a smaller list of packages in the tree, especially if all you need to do is scan through their code on github.
Thanks for the response. I didn't know that NPM packages aren't just Git pulls as they are in Composer. That's surprising. I wonder why they decided against implementing it that way - it seems like just using Git or other package managers would save from having to deal with hosting, versioning, and so many other things inside the manager system itself.
Generally, NPM packages are transpiled/minified with webpack (or w/e newer tool) and published as minified bundles. That's why it's done that way. It avoids committing the webpack compiled dist to the repo.
With PHP, since there's no compile/minify step, there's no need for "build artifacts", so you can grab the code directly and run it as-is.
But obviously this has big supply-chain security downsides.
Is that true? How so?
I'm a long-time PHP dev, but of the issues I can recall regarding NPM, including the recent controversy related to the invasion of Ukraine, I don't see how that sort of thing couldn't happen with Composer some day, and it might just be a matter of time; that it hasn't yet has more to do with the relative ecosystems of the two languages and the developers they attract than anything technical, in my opinion. But I'd love to be proven wrong.