PHPackages                             cotonet/soak-time - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. cotonet/soak-time

ActiveComposer-plugin[Security](/categories/security)

cotonet/soak-time
=================

Protects against supply chain attacks by filtering recently published packages.

v1.1.0(2mo ago)33.7k↑2438.6%[1 issues](https://github.com/cotonet-resiliencia-digital/composer-soak-time/issues)PHPPHP ^7.4 || ^8.0 || ^8.1 || ^8.2 || ^8.3 || ^8.4 || ^8.5

Since Mar 31Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/cotonet-resiliencia-digital/composer-soak-time)[ Packagist](https://packagist.org/packages/cotonet/soak-time)[ RSS](/packages/cotonet-soak-time/feed)WikiDiscussions main Synced 4w ago

READMEChangelog (4)Dependencies (2)Versions (5)Used By (0)

Cotonet Soak Time 🛡️
====================

[](#cotonet-soak-time-️)

A Composer plugin designed to mitigate **Supply Chain Attacks** by enforcing a "soak time" (minimum age) on all installed package versions.

Recently published packages or updates can sometimes carry malicious code (zero-days or compromised maintainer accounts). This plugin acts as a shield by completely hiding recent releases from the Composer solver, ensuring you only install mature, community-vetted code.

💡 How it works
--------------

[](#-how-it-works)

This plugin intercepts Composer's `PRE_POOL_CREATE` event. It analyzes the release dates of all requested packages (including deep transitive dependencies) and drops any version that is newer than your configured threshold.

Composer will then gracefully resolve your dependencies using older, safer versions, avoiding the "dependency hell" of manual conflict resolution.

📦 Installation
--------------

[](#-installation)

Install this plugin as a development dependency:

```
composer require --dev cotonet/soak-time
```

*Or install it globally to protect all your local projects:*

```
composer global require cotonet/soak-time
```

⚙️ Configuration
----------------

[](#️-configuration)

By default, the plugin enforces a minimum age of **168 hours (7 days)**.

Customize this in the `extra` section of your project's `composer.json`:

```
{
    "extra": {
        "soak-time-hours": 360
    }
}
```

### Whitelisting Packages

[](#whitelisting-packages)

Some packages, like security advisories or internal company packages, need to be updated constantly and should bypass the soak time filter. You can allow them permanently by adding an array of package names to `soak-time-whitelist` in your `composer.json`:

```
{
    "extra": {
        "soak-time-hours": 168,
        "soak-time-whitelist": [
            "roave/security-advisories",
            "your-company/internal-package"
        ]
    }
}
```

🚨 Emergency Bypass (Security Patches)
-------------------------------------

[](#-emergency-bypass-security-patches)

If you need to install a critical security patch that was released just a few hours ago, you can bypass the filter using the `SOAK_TIME_SKIP` environment variable:

**Linux / macOS:**

```
SOAK_TIME_SKIP=1 composer update vendor/package-name
```

**Windows (PowerShell):**

```
$env:SOAK_TIME_SKIP=1; composer update vendor/package-name
```

🔍 Debugging
-----------

[](#-debugging)

To see which versions are being dropped, run Composer with the verbose flag (`-v`):

```
composer update -v
```

📄 License
---------

[](#-license)

This project is licensed under the MIT License.

###  Health Score

45

—

FairBetter than 91% of packages

Maintenance77

Regular maintenance activity

Popularity28

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity54

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~2 days

Total

4

Last Release

84d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/57aee85efbeaa3a718060d4e6704112e7ebb2a0b07bd658246a2934784fafbaa?d=identicon)[cotonet-resiliencia-digital](/maintainers/cotonet-resiliencia-digital)

---

Top Contributors

[![cotonet-resiliencia-digital](https://avatars.githubusercontent.com/u/254997756?v=4)](https://github.com/cotonet-resiliencia-digital "cotonet-resiliencia-digital (5 commits)")

### Embed Badge

![Health badge](/badges/cotonet-soak-time/health.svg)

```
[![Health](https://phpackages.com/badges/cotonet-soak-time/health.svg)](https://phpackages.com/packages/cotonet-soak-time)
```

###  Alternatives

[symfony/runtime

Enables decoupling PHP applications from global state

74794.9M945](/packages/symfony-runtime)[drupal/core-composer-scaffold

A flexible Composer project scaffold builder.

5344.1M527](/packages/drupal-core-composer-scaffold)[drupal/core-vendor-hardening

Hardens the vendor directory for when it's in the docroot.

174.7M41](/packages/drupal-core-vendor-hardening)[drupal/core-project-message

Adds a message after Composer installation.

2124.0M194](/packages/drupal-core-project-message)[drupal-composer/drupal-paranoia

Composer Plugin for improving the security of composer-based Drupal projects by moving all PHP files out of docroot.

642.2M3](/packages/drupal-composer-drupal-paranoia)[altis/core

Core module for Altis

19222.5k2](/packages/altis-core)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
