cotonet/soak-time 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

cotonet/soak-time

Composer 安装命令:

composer require cotonet/soak-time

包简介

Protects against supply chain attacks by filtering recently published packages.

README 文档

README

A Composer plugin designed to mitigate Supply Chain Attacks by enforcing a "soak time" (minimum age) on all installed package versions.

Recently published packages or updates can sometimes carry malicious code (zero-days or compromised maintainer accounts). This plugin acts as a shield by completely hiding recent releases from the Composer solver, ensuring you only install mature, community-vetted code.

💡 How it works

This plugin intercepts Composer's PRE_POOL_CREATE event. It analyzes the release dates of all requested packages (including deep transitive dependencies) and drops any version that is newer than your configured threshold.

Composer will then gracefully resolve your dependencies using older, safer versions, avoiding the "dependency hell" of manual conflict resolution.

📦 Installation

Install this plugin as a development dependency:

composer require --dev cotonet/soak-time

Or install it globally to protect all your local projects:

composer global require cotonet/soak-time

⚙️ Configuration

By default, the plugin enforces a minimum age of 168 hours (7 days).

Customize this in the extra section of your project's composer.json:

{
    "extra": {
        "soak-time-hours": 360
    }
}

Whitelisting Packages

Some packages, like security advisories or internal company packages, need to be updated constantly and should bypass the soak time filter. You can allow them permanently by adding an array of package names to soak-time-whitelist in your composer.json:

{
    "extra": {
        "soak-time-hours": 168,
        "soak-time-whitelist": [
            "roave/security-advisories",
            "your-company/internal-package"
        ]
    }
}

🚨 Emergency Bypass (Security Patches)

If you need to install a critical security patch that was released just a few hours ago, you can bypass the filter using the SOAK_TIME_SKIP environment variable:

Linux / macOS:

SOAK_TIME_SKIP=1 composer update vendor/package-name

Windows (PowerShell):

$env:SOAK_TIME_SKIP=1; composer update vendor/package-name

🔍 Debugging

To see which versions are being dropped, run Composer with the verbose flag (-v):

composer update -v

📄 License

This project is licensed under the MIT License.

统计信息

  • 总下载量: 9.39k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 3
  • 点击次数: 0
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 3
  • Watchers: 1
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: Unknown
  • 更新时间: 2026-03-31

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固