dunglas, Supply chain attacks are a plague in the #JavaScript ecosystem. #PHP is less affected, but we can do even better! I just proposed a patch to #Composer to detect when your dependencies introduce new dependencies from sources you don't trust.
We will use this feature to improve the security of @symfony and @ApiPlatform. It should also be possible to port this idea to @npmjs and other package managers 🤝