> ## Documentation Index > Fetch the complete documentation index at: https://developer.upsun.com/llms.txt > Use this file to discover all available pages before exploring further. # Composer 2.9 lands on Upsun PHP Images: Here’s what you need to know > Remote code execution vulnerability in Next.js 15.x and 16.x App Router requires immediate patching. Learn how to secure your applications. export const PostMeta = ({data = {}}) => { const {author, date, image} = data; const authors = Array.isArray(author) ? author : author ? [author] : []; const resolveAuthor = slug => { const entry = AUTHOR_MAP[slug] || ({}); const name = entry.name || slug; const github = entry.github || null; const linkedin = entry.linkedin || null; const url = github ? `https://github.com/${github}` : linkedin || null; const avatarUrl = github ? `https://github.com/${github}.png?size=64` : null; return { name, url, avatarUrl }; }; const formattedDate = date ? new Date(date).toLocaleDateString('en-US', { year: 'numeric', month: 'long', day: 'numeric' }) : null; if (!image && authors.length === 0 && !formattedDate) return null; const AUTHOR_MAP = { "aaron-collier": { "name": "Aaron Collier" }, "aaron-dudenhofer": { "name": "Aaron Dudenhofer" }, "aaron-porter": { "name": "Aaron Porter" }, "adriaan-odendaal": { "name": "Adriaan Odendaal" }, "ajmal": { "name": "Ajmal Siddiqui" }, "akalipetis": { "name": "Antonis Kalipetis" }, "alexander-varwijk": { "name": "Alexander Varwijk" }, "alicia-bevilacqua": { "name": "Alicia Bevilacqua" }, "amelie-deguerry": { "name": "Amelie Deguerry" }, "anacidre": { "name": "Ana Cidre", "linkedin": "https://www.linkedin.com/in/ana-cidre" }, "andoni": { "name": "Andoni Auzmendi" }, "andrei-taranu": { "name": "Andrei (Alex) Taranu", "linkedin": "https://www.linkedin.com/in/andrei-alex-taranu/" }, "andrew-baxter": { "name": "Andrew Baxter" }, "andrew-melck": { "name": "Andrew Melck" }, "antoine-crochet-damais": { "name": "Antoine Crochet Damais" }, "augustin-delaporte": { "name": "Augustin Delaporte", "linkedin": "https://www.linkedin.com/in/augustindelaporte/" }, "branislav-bujisic": { "name": "Branislav Bujisic" }, "carl-smith": { "name": "Carl Smith" }, "caroline-leroy": { "name": "Caroline Leroy" }, "cati-mayer": { "name": "Cati Mayer" }, "catplat": { "name": "C Trinkwon" }, "ceelolulu": { "name": "Celeste van der Watt" }, "chadwcarlson": { "name": "Chad Carlson", "github": "chadwcarlson", "linkedin": "https://www.linkedin.com/in/chadwcarlson" }, "chris-ward": { "name": "Chris Ward" }, "chris-yates": { "name": "Chris Yates" }, "christian-sieber": { "name": "Christian Sieber" }, "christopher-lockheardt": { "name": "Christopher Lockheardt" }, "christopher-skene": { "name": "Christopher Skene" }, "chuck-morgan": { "name": "Chuck Morgan" }, "corey-dockendorf": { "name": "Corey Dockendorf" }, "crell": { "name": "Crell" }, "damz": { "name": "Damz" }, "dan-morrison": { "name": "Dan Morrison" }, "davidbonachera": { "name": "David Bonachera", "github": "davidbonachera", "linkedin": "https://www.linkedin.com/in/davidbonachera" }, "dereliahmet1": { "name": "Ahmet Faruk Dereli" }, "devicezero": { "name": "Jonas Kröger", "github": "devicezero", "linkedin": "https://www.linkedin.com/in/jonaskroeger/" }, "doug-goldberg": { "name": "Doug Goldberg" }, "duncan-naves": { "name": "Duncan Naves", "github": "duncannaves", "linkedin": "https://www.linkedin.com/in/duncan-naves-a94423aa" }, "erika-bustamante": { "name": "Erika Bustamante" }, "fabpot": { "name": "Fabien Potencier" }, "flovntp": { "name": "Florent Huck", "github": "flovntp", "linkedin": "https://www.linkedin.com/in/florenthuck" }, "fred-plais": { "name": "Fred Plais" }, "gauthier-garnier": { "name": "Gauthier Garnier" }, "gilzow": { "name": "Paul Gilzow" }, "gmoigneu": { "name": "Guillaume Moigneu", "github": "gmoigneu", "linkedin": "https://www.linkedin.com/in/guillaumemoigneu/" }, "gregqualls": { "name": "Greg Qualls" }, "guguss": { "name": "Augustin Delaporte" }, "haylee-millar": { "name": "Haylee Millar" }, "ivana-kotur": { "name": "Ivana Kotur" }, "jackrabbithanna": { "name": "Mark Hanna" }, "jared-wright": { "name": "Jared Wright", "github": "jww-sh", "linkedin": "https://www.linkedin.com/in/jaredwaynewright" }, "jessica-orozco": { "name": "Jessica Orozco" }, "joey-stanford": { "name": "Joey Stanford" }, "john-grubb": { "name": "John Grubb" }, "jonas-kruger": { "name": "Jonas Kruger" }, "kathryn-frazer": { "name": "Kathryn Frazer" }, "kemiojo": { "name": "Kemi Elizabeth Ojogbede" }, "kieronsambrook-smith": { "name": "Kieronsambrook Smith" }, "laurent-arnoud": { "name": "Laurent Arnoud" }, "letoya-boyne": { "name": "Letoya Boyne" }, "lolautruche": { "name": "Jérôme Vieilledent" }, "lyly-lepinay": { "name": "Lyly Lepinay" }, "manauwar-alam": { "name": "Manauwar Alam" }, "marc-antoine-porri": { "name": "Marc Antoine Porri" }, "maria-antinkaapo": { "name": "Maria Antinkaapo" }, "maria-de-anton": { "name": "Maria De Anton" }, "mark-dorison": { "name": "Mark Dorison" }, "markus-hausammann": { "name": "Markus Hausammann" }, "mary-thomas": { "name": "Mary Thomas" }, "mathias-bolt-lesniak": { "name": "Mathias Bolt Lesniak" }, "mathieu-strauch": { "name": "Mathieu Strauch" }, "matthias-van-woensel": { "name": "Matthias Van Woensel", "linkedin": "https://www.linkedin.com/in/matthias-van-woensel-267a069" }, "michael-sharp": { "name": "Michael Sharp" }, "mupsi": { "name": "Marine Gandy" }, "natalie-harper": { "name": "Natalie Harper" }, "ngommenginger": { "name": "Nicolas Gommenginger", "linkedin": "https://www.linkedin.com/in/nicolas-gommenginger" }, "nicholas-bennison": { "name": "Nicholas Bennison" }, "nicholas-vahalik": { "name": "Nicholas Vahalik" }, "nick-hardiman": { "name": "Nick Hardiman" }, "nickanderegg": { "name": "Nickanderegg" }, "nicolas-grekas": { "name": "Nicolas Grekas", "github": "nicolas-grekas", "linkedin": "https://www.linkedin.com/in/nicolasgrekas/" }, "niti-malwade": { "name": "Niti Malwade" }, "opensocialteam": { "name": "Opensocialteam" }, "ori-pekelman": { "name": "Ori Pekelman" }, "otavio-santana": { "name": "Otavio Santana" }, "palwandi": { "name": "Pawan Alwandi", "github": "pawpy", "linkedin": "https://www.linkedin.com/in/pawanalwandi" }, "patrick-boest": { "name": "Patrick Boest" }, "patrick-dawkins": { "name": "Patrick Dawkins", "github": "pjcdawkins", "linkedin": "https://www.linkedin.com/in/patrickdawkins" }, "patrick-klima": { "name": "Patrick Klima" }, "pjcdawkins": { "name": "Pjcdawkins" }, "prineet-kaurbhurji": { "name": "Prineet Kaurbhurji" }, "quentin-sinig": { "name": "Quentin Sinig" }, "ralt": { "name": "Florian Margaine", "github": "ralt", "linkedin": "https://www.linkedin.com/in/florian-margaine-43971136" }, "ramanathanramakrishnamurthy": { "name": "Ramanathanramakrishnamurthy" }, "remi-lejeune": { "name": "Rémi Lejeune" }, "ribel": { "name": "Taras Kruts" }, "robert-douglass": { "name": "Robert Douglass" }, "rudy-weber": { "name": "Rudy Weber" }, "ryan-hicks": { "name": "Ryan Hicks" }, "sabri-helal": { "name": "Sabri Helal" }, "savannah-bergeron": { "name": "Savannah Bergeron" }, "shannon-vettes": { "name": "Shannon Vettes" }, "shawn-ogasawara": { "name": "Shawn Ogasawara", "linkedin": "https://www.linkedin.com/in/shawn-ogasawara-83a9a0/" }, "shawna-spoor": { "name": "Shawna Spoor" }, "shedrack-akintayo": { "name": "Shedrack Akintayo" }, "simon-ruggier": { "name": "Simon Ruggier" }, "sophie-van-der-kindere": { "name": "Sophie Van Der Kindere" }, "stefanos-thampis": { "name": "Stefanos Thampis" }, "stephen-weinberg": { "name": "Stephen Weinberg" }, "sukhman-virk": { "name": "Sukhman Virk" }, "sumaira-nazir": { "name": "Sumaira Nazir" }, "sumer": { "name": "Sümer Cip" }, "syed-raza": { "name": "Syed Raza" }, "tamara-bacchia": { "name": "Tamara Bacchia" }, "tara-arnold": { "name": "Tara Arnold" }, "theosakamg": { "name": "Mickael Gaillard", "github": "theosakamg" }, "thomasdiluccio": { "name": "Thomas di Luccio" }, "tim-anderson": { "name": "Tim Anderson" }, "tom-helmer-hansen": { "name": "Tom Helmer Hansen" }, "tylermills": { "name": "Tyler Mills" }, "upsun": { "name": "Upsun" }, "veronika-tolkachova": { "name": "Veronika Tolkachova", "linkedin": "https://www.linkedin.com/in/veronika-tolkachova-169167a2" }, "vince-parker": { "name": "Vince Parker" }, "vinnie-russo": { "name": "Vincenzo Russo" }, "vrobert78": { "name": "Vincent Robert", "github": "vrobert78", "linkedin": "https://www.linkedin.com/in/vincent-robert-498a883" }, "yuriy-babenko": { "name": "Yuriy Babenko" }, "yuriy-gerasimov": { "name": "Yuriy Gerasimov" } }; return
{(authors.length > 0 || formattedDate) &&
{authors.length > 0 &&
{authors.map(slug => { const {name, url, avatarUrl} = resolveAuthor(slug); const inner = <> {avatarUrl && {name}} {name} ; return url ? {inner} : {inner}; })}
} {authors.length > 0 && formattedDate && } {formattedDate && {formattedDate}}
} {image && }
; }; [Composer](https://getcomposer.org/) just shipped one of its most meaningful improvements in years: **automatic blocking of insecure and vulnerable PHP dependencies**. This is great news for the PHP ecosystem. It’s also something you’ll want to understand before your next deploy suddenly stops mid-build, shouting about abandoned packages you forgot existed. (It happens to the best of us.) Here’s the full breakdown. ## **What Changed in Composer 2.9?** Composer 2.9 introduces [**Automatic Security Blocking**](https://blog.packagist.com/composer-2-9/). When installing without a `composer.lock` file, or updating dependencies, Composer now: * Fails the build if a dependency has a known security advisory * Can fail if a dependency is abandoned (optional, but available … and recommended) * Provides a clear audit report of what’s wrong This behaviour is **on by default**. Upsun doesn’t override it, because it makes everyone safer. ## **“But I didn’t change my dependencies… why is my build failing now?”** Two reasons: ### 1. Your config file requires Composer 2 latest version. A rebuild may pick up the latest version of Composer even if you’re still on the same PHP version. Boom: your dependencies are audited automatically. And, that’s great news! ### 2. Vulnerabilities are published continuously Your dependencies might have been “fine” yesterday but vulnerable today. Composer 2.9 is simply letting you know about problems that already existed. ## **Why we ship Composer 2.9 as-is** Short answer: because it’s good for you. Longer answer: * It prevents vulnerable or abandoned packages from silently entering your production chain. * It pushes the ecosystem toward more secure baselines. * Many users *want* this protection; they rely on it. So instead of turning the feature off, we’re giving you the tools to use it effectively. ## **Your options if your build fails** Let’s be straight: **The best fix is to patch or upgrade the affected dependencies.** This is the healthiest thing you can do for your codebase, your users, and your future self. But you do have escape hatches. ### 1. Ignore specific advisories ```yaml {filename=".upsun/config.yaml (Upsun Flex) or .platform.app.yaml (Upsun Fixed)"} theme={null} dependencies: php: config: audit: ignore: - "PKSA-yhcn-xrg3-68b1" - "PKSA-2wrf-1mxk-1pky" ``` ### 2. Disable automatic blocking (not recommended, but available) ```yaml {filename=".upsun/config.yaml (Upsun Flex) or .platform.app.yaml (Upsun Fixed)"} theme={null} dependencies: php: config: audit: block-insecure: false ``` ### 3. Ignore vulnerabilities based on their severity rating (low/medium/high) ```yaml {filename=".upsun/config.yaml (Upsun Flex) or .platform.app.yaml (Upsun Fixed)"} theme={null} dependencies: php: config: audit: ignore-severity: low: apply: all <-- ignore all low severity findings ``` ## How Upsun handles Composer A common question is whether you can revert to an older Composer version to avoid these checks. ### The Build process “catch-22” Every Upsun PHP image includes a pre-installed, global Composer binary. Currently, this is version 2.9 or newer, which orchestrates your entire build: * The pre-installed global binary (always the latest Composer version available) is what initiates your build process. * Because this global binary is version 2.9+, it automatically performs a security audit before executing any other commands. * Even if you specify an older Composer version in your dependencies block, that version is installed by the global 2.9 binary. * The result: The security audit triggers and fails the build before your requested older version is even downloaded. ### The Solution Since you cannot bypass the global binary, you should not attempt to downgrade the tool. Instead, use the `audit` configuration to ignore specific IDs or severities. The most robust long-term solution remains keeping your dependencies updated and secure. ## **A gentle nudge: Keep those dependencies fresh** Security blocking may feel strict at first, but here’s the upside: * You learn about vulnerabilities early, before they sneak into production. * Your app becomes more resilient. * Your future upgrades stop being archaeology expeditions. In other words: **modernizing your dependencies regularly is now a power move, not a chore**. Composer 2.9 also allows you to block abandoned packages. Go the extra mile and secure your PHP apps' future. ```yaml {filename=".upsun/config.yaml (Upsun Flex) or .platform.app.yaml (Upsun Fixed)"} theme={null} dependencies: php: config: audit: block-insecure: true block-abandoned: true ``` ## **What you should do today** * Run `composer audit` locally to see what’s coming. * Review your project’s dependency tree (yes, even the old stuff). * Decide whether to upgrade, ignore advisories, or temporarily opt out. And remember: your next deployment might use Composer 2.9 unless you pin it explicitly. ## **If you need help, we’re here!** Hit us up on [Discord](https://discord.gg/upsun) or open a [support ticket](https://docs.upsun.com/learn/overview/get-support.html). We want this transition to be smooth, and this feature actually makes your apps safer and easier to maintain in the long term. And hey: if this blog post saved you an afternoon of head-scratching, go upgrade a dependency today. Your future deployments will thank you.