As a (PHP) package developer, you sometimes have classes that are meant for internal use – inside the package itself – only. PHP has no built-in solution for this, but using a DocBlock Tag one can indicate its intended use. As Nuno Maduro explains:
Maybe in the future, the PHP language will have the internal class access modifier, it would prevent people from using internal classes from your library. Meanwhile, the PHP @internal tag can be used to denote that the associated class/method is internal to the library. It’s supported by PHPStorm and it warns people that those classes/methods are not meant to be used
At JSConf EU 2019, CJ Silverio – former CTO at NPM Inc – gave this talk on why a VC-funded private package registry (read: the one ran by NPM Inc) holds many dangers.
Entropic assumes many registries co-existing and interoperating as a part of your normal workflow. All Entropic packages are namespaced, and a full Entropic package spec also includes the hostname of its registry.
If you’re selling PHP packages, the easiest way to offer Composer package installation to your customers is now “Private Packagist for Vendors”. You get a unique URL and authentication token for each customer and they can use these in their composer.json file to install your packages. Especially if you’re still sending zip files to your customers, there is really no reason anymore not to to offer Composer installations.
You can use their our API to integrate “Private Packagist for Vendors” with your existing PHP package shop: Create a customer, grant the customer access to the package, and then get the info needed to send to the customer — all using their API.
// 1. Create Customer
$customer = $client
->create('Acme Web Inc.');
// 2. Grant access to package for customer
'name' => 'my-vendor/cool-package',
'versionConstraint' => '^1.0',
'expirationDate' => strtotime('+1 year'),
// 3. Get info to send to user
$info = $client->customers()->show($customer['id']);
// 'composerRepository' => [
// 'url' => 'https://my-vendor.repo.packagist.com',
// 'user' => 'token',
// 'token' => 'a6addb89a67b2822d352d113',
As you can see in the code above, customers their access can be locked to specific versions and also limited in time.
Mid-December Nils Adermann – Co-Founder of Packagist Conductors & Creator of Composer for PHP – announced Private Packagist.
Being a hosted service, setting up your own Composer package repository on Private Packagist is done with a few clicks. No matter if your private source code is hosted on GitHub, GitLab, Bitbucket, any of their on-premise solutions, or in any other Git, Mercurial, or Subversion repository, Private Packagist can immediately access your code after setting up your credentials to make it available for installation through Composer.
A few years ago I tried setting up Satis, but that didn’t quite work out. Private Packagist would’ve been handy back then 🙂