PHPackages php-tuf/composer-integration - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. php-tuf/composer-integration ActiveComposer-plugin[Security](/categories/security) php-tuf/composer-integration ============================ Secures Composer downloads with PHP-TUF. 0.0.3(5y ago)76465[7 PRs](https://github.com/php-tuf/composer-integration/pulls)MITPHPCI passing Since Apr 15Pushed 1mo ago5 watchersCompare [ Source](https://github.com/php-tuf/composer-integration)[ Packagist](https://packagist.org/packages/php-tuf/composer-integration)[ RSS](/packages/php-tuf-composer-integration/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (5)Versions (29)Used By (0) PHP-TUF Composer Integration Plugin =================================== [](#php-tuf-composer-integration-plugin) [![build](https://github.com/php-tuf/composer-integration/actions/workflows/build.yml/badge.svg)](https://github.com/php-tuf/composer-integration/actions/workflows/build.yml/badge.svg) Experimental Composer plugin marrying Composer 2.6 and later to [PHP-TUF](https://github.com/php-tuf/php-tuf). This plugin seeks to demonstrate adding TUF security to - Composer's package discovery process when using Composer v2 package repositories. - Packages that Composer selects for download. IMPORTANT --------- [](#important) This plugin, as well as the PHP-TUF library it depends on, is in a pre-release state and is not considered a complete or secure implementation of the TUF framework. This plugin should currently only be used for testing, development and feedback. *Do NOT use in production for secure downloads!!* Overview -------- [](#overview) The plugin examines `composer` type repositories. For any that contain an additional key `tuf`, it invokes PHP-TUF during package discovery and download operations, validating that the repository and package are not being tampered with. In accordance with the [TUF specification](https://github.com/theupdateframework/specification/blob/v1.0.9/tuf-spec.md#5-detailed-workflows), projects using this plugin must supply a set of trusted keys for each repository they want to protect with TUF. Each TUF-protected repository should provide a JSON file with its root keys. The file may be named in one of a few ways, which will be searched for in this order: 1. A SHA-256 hash of the full repository URL. For example, if the repository URL is `http://repo.example.net/composer`, the JSON file can be named `d82cfa7a5a4ba36bd2bcc9d3f7b24bdddbe1209b71ebebaeebc59f6f0ea48792.json`. 2. The host name of the repository. To continue the previous example, the JSON file can be named `repo.example.net.json`. All root key files must be stored in a directory called `tuf`, adjacent to the project's `composer.json` file. The TUF repository must track the Composer repository, signing new versions of packages as they are released as well as the Composer package metadata for them. Usage ----- [](#usage) ``` # Configure Composer to allow the plugin to run. composer config allow-plugins.php-tuf/composer-integration true # Install the plugin. composer require php-tuf/composer-integration # Enable TUF protection for a repository defined in composer.json. For example, # if you have a Drupal site, the following will probably work. composer tuf:protect https://packages.drupal.org/8 # Install a package with safety guaranteed by TUF! composer require drupal/token ``` Performance ----------- [](#performance) There's no way around it: this plugin affects Composer's performance. This is because, for every file Composer examines (including package metadata), TUF needs to download other files, to confirm that the file Composer is looking at hasn't been tampered with. The performance hit generally isn't extreme, but it may be quite noticeable, depending on how large your project is and what you're asking Composer to do. Performance can also be affected by the way TUF has been set up on the server, which may be different for each repository. To mitigate this, the plugin will try to keep network activity to a minimum; whatever network activity it has to do, it tries to do in parallel. This is in addition to fairly aggressive caching, while maintaining the ability for TUF to keep itself up-to-date. That said, **you should generally expect Composer to be approximately 1.5 to 3 times slower when TUF is enabled.** ### Health Score 41 — FairBetter than 89% of packages Maintenance58 Moderate activity, may be stable Popularity24 Limited adoption so far Community22 Small or concentrated contributor base Maturity53 Maturing project, gaining track record Bus Factor1 Top contributor holds 81% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~111 days Recently: every ~153 days Total 17 Last Release 64d ago Major Versions 0.0.3 → 1.0.0-alpha12022-04-05 ### Community Maintainers ![](https://www.gravatar.com/avatar/c55ed0dc1d2e7df0158d61a56358e5299a38cdcc3728d513ce335382de9b94fe?d=identicon)[TravisCarden](/maintainers/TravisCarden) ![](https://www.gravatar.com/avatar/c42b55c8bf22d981d719d03ce484da558205b6dc85e75fe42b2f26cb655a778b?d=identicon)[tedbow](/maintainers/tedbow) ![](https://www.gravatar.com/avatar/0871439f61a26650be59267f0ab5754402c46761fe89f9ba981162a597de3ace?d=identicon)[PHP-TUF](/maintainers/PHP-TUF) ![](https://www.gravatar.com/avatar/ae61434c21c9f31c54ca751eec18411ca40662da9bdd318ed135c2c82d65d197?d=identicon)[phenaproxima](/maintainers/phenaproxima) --- Top Contributors [![phenaproxima](https://avatars.githubusercontent.com/u/4504530?v=4)](https://github.com/phenaproxima "phenaproxima (102 commits)")[![tedbow](https://avatars.githubusercontent.com/u/132772?v=4)](https://github.com/tedbow "tedbow (7 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (5 commits)")[![star-szr](https://avatars.githubusercontent.com/u/327943?v=4)](https://github.com/star-szr "star-szr (5 commits)")[![mbaynton](https://avatars.githubusercontent.com/u/3026002?v=4)](https://github.com/mbaynton "mbaynton (3 commits)")[![xjm](https://avatars.githubusercontent.com/u/1369057?v=4)](https://github.com/xjm "xjm (2 commits)")[![ergonlogic](https://avatars.githubusercontent.com/u/380362?v=4)](https://github.com/ergonlogic "ergonlogic (1 commits)")[![TravisCarden](https://avatars.githubusercontent.com/u/959246?v=4)](https://github.com/TravisCarden "TravisCarden (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/php-tuf-composer-integration/health.svg) ``` [![Health](https://phpackages.com/badges/php-tuf-composer-integration/health.svg)](https://phpackages.com/packages/php-tuf-composer-integration) ``` ### Alternatives [roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[drupal/core-vendor-hardening Hardens the vendor directory for when it's in the docroot. 174.5M28](/packages/drupal-core-vendor-hardening)[acmephp/ssl PHP wrapper around OpenSSL extension providing SSL encoding, decoding, parsing and signing features 141.2M4](/packages/acmephp-ssl)[mxr576/ddqg-composer-audit Drupal Dependency Quality Gate Composer Audit plugin 1056.7k2](/packages/mxr576-ddqg-composer-audit)[plan2net/typo3-update-check A Composer plugin that checks for TYPO3 updates and provides detailed information about breaking changes and security updates 204.5k](/packages/plan2net-typo3-update-check) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)