Add cooldown policy config to filter newly released packages

[crocodele]

Introduces a configurable cooldown: a waiting period before a newly published package version becomes installable, to reduce exposure to supply-chain attacks where a compromised maintainer pushes a malicious release (many such versions are caught within hours/days of publication).

Configuration

Lives under config.policy.cooldown:

{
    "config": {
        "policy": {
            "cooldown": {
                "age": "7 days",
                "block": true,
                "audit": "report",
                "ignore": {
                    "vendor/pkg": "reason / pinned for now"
                }
            }
        }
    }
}

• age: cooldown duration. Integer seconds, or "<n> <unit>" where unit is second/minute/hour/day/week (singular or plural). null/0 disables. Relative phrases like "tomorrow" are rejected rather than silently misinterpreted.
• block (default true): withhold too-new versions during update/require.
• audit (ignore|report|fail, default ignore): how composer audit treats within-cooldown installed/locked packages.
• ignore: package/constraint patterns that bypass the cooldown.
• Env overrides: COMPOSER_POLICY_COOLDOWN_AGE, COMPOSER_POLICY_COOLDOWN_BLOCK (and the global COMPOSER_POLICY switch).
• Settable via composer config policy.cooldown.age "7 days" etc.

Trustworthy timestamp (published-time)

The cooldown measures against a new repository-owned field, published-time, which the package author cannot influence – falling back to the existing author-controlled time only when a repository does not provide it. When the fallback is used, the cooldown message says so explicitly. This closes the "attacker back-dates time to skip the cooldown" hole. published-time is added to the repository JSON schema and is persisted in composer.lock/installed.json so composer audit can use the authoritative date offline. (Server-side population on Packagist is already in place.)

Behaviour

• Security-fix bypass: a version released after a matching security advisory (and not affected by it), within 2x the cooldown window, bypasses the cooldown so fixes aren't withheld. Only the oldest such fix per constraint part bypasses. Works even when advisory blocking is disabled.
• Never filtered: root package, platform packages, locked/installed packages, dev versions, and versions with no usable date (conservative).
• Audit integration: composer audit can report or fail on within-cooldown packages.
• Clear errors: when a required version is withheld, the message states how long until it clears and whether the authoritative or fallback timestamp was used, and points at policy.cooldown.ignore / policy.cooldown.block.

Backwards compatibility

Opt-in: no effect until an age is set. Repositories and older clients that don't know published-time are unaffected (unknown field ignored / graceful fallback to time).

Related to #12633.

Developed with assistance from Claude Code (Opus 4.x).

[Seldaek]

It'd be great to add support in ConfigCommand as well for setting the age and exceptions

[crocodele]

Added in 5e094e3. I added test cases only for happy paths.

[Seldaek]

Thanks a bunch, looks quite solid at first sight but I'll have to review more in depth for sure.

[Seldaek]

So thinking some more about this feature, I realized that an attacked could right now easily fake the release date to put it in the past, as the release is under control of the package authors..

Thus I think if we want to do this, we should have a new date like publish_date or something that is purely owned by the package repositories and cannot be set by the packages. And the minimum-release-age would apply to that date (if available). Just writing this down for future reference.. not really expecting you to act on this right now.

[stof]

@Seldaek isn't the release date the date of the git commit for VCS-based repositories ?

[Seldaek]

It'd be safer here to avoid relying on having the same object instance I think

Suggested change

	if (isset($oldestSecurityFixDate[$key]) && $releaseDate === $oldestSecurityFixDate[$key]) {
	if (isset($oldestSecurityFixDate[$key]) && $releaseDate->getTimestamp() === $oldestSecurityFixDate[$key]->getTimestamp()) {

[crocodele]

Addressed in one of the recent commits.

[Seldaek]

You need to support $diff->m and $diff->y too here for completeness to avoid showing incorrect diffs.

[Seldaek]

Or maybe rather use ->days which is the full amount of days diff.

[crocodele]

Using ->days now, in CooldownPolicyConfig.php.

[Seldaek]

Maybe we should validate expected formats with a regex here to avoid any random config?

[crocodele]

Ultimately I ended up doing exactly this, i.e. limiting the value to strings like "1 week", "3 days", "60 hours" etc., or an integer value which is interpreted as number of seconds. Ambiguity around valid strtotime() strings like "last week" and "next week" might be problematic.

[Seldaek]

This means versions are being hidden though, right? It'd be great to have some .test files to test all the problem output here.

[Seldaek]

@Seldaek isn't the release date the date of the git commit for VCS-based repositories ?

Yes but that is completely under the control of the committer.

And on top of that if you set the 'time' property in the composer.json you can just set whatever date and that will take precedence over the VCS inferred date.

[Inscure]

The recent "axios" incident is a perfect example of why we need this feature asap.

A native quarantine period (24–72h) would provide a vital proactive buffer, shielding PHP projects from similar supply chain attacks. It allows the community to flag malicious releases before they are automatically pulled into production via automated updates.

Implementing this now would be a massive win for PHP security and ecosystem stability.

[arabcoders]

And on top of that if you set the 'time' property in the composer.json you can just set whatever date and that will take precedence over the VCS inferred date.

In my opinion this need to be addressed, as this work around rely solely on the time, if attacker is able to change the release date to say month or something then this mitigation is useless,

Recent attacks started to appear in composer registry for ref

I think this option should be deprecated and removed, or at least should be turned off and rely on date from the registry first and fallback to vcs when this option turned on

[CybotTM]

Security fixes automatically bypass cooldown when released after a security advisory (within 2x cooldown window)

Security advisories usually mention the fixed versions, only those fixed versions may bypass cooldown - but this should be configurable.

[jdsdev]

If security advisories were highlighted during an update, that could also give users the option of researching the advisory, and deciding whether to bypass the cooldown manually.

Recently there was a compromise of the intercom/intercom-php package, so this is no longer theoretical.

[crocodele]

So thinking some more about this feature, I realized that an attacked could right now easily fake the release date to put it in the past, as the release is under control of the package authors..

Thus I think if we want to do this, we should have a new date like publish_date or something that is purely owned by the package repositories and cannot be set by the packages. And the minimum-release-age would apply to that date (if available). Just writing this down for future reference.. not really expecting you to act on this right now.

@Seldaek, do you think we can pursue this publish timestamp that is owned by the package repositories, starting with Packagist? Or what would be the best way forward? I suppose the whole minimum-release-age feature is useful only when the release date for package versions can't be faked – otherwise it brings a false sense of security.

[Seldaek]

I don't think it's such a hard problem and I'll get on it soon but this had to take a backseat for higher prio things (also security related.. Zero chill at the moment with all the attacks and AI driven security audits)

[crocodele]

I don't think it's such a hard problem and I'll get on it soon but this had to take a backseat for higher prio things (also security related.. Zero chill at the moment with all the attacks and AI driven security audits)

Thanks! If there's something I can do to help, let me know. And once there's a clear path, I'm more than happy to clean up this PR and make the required changes here.

[MarkusJLechner]

Came here by because of laravel-lang supply chain attack (https://snyk.io/de/blog/laravel-lang-supply-chain-advisory/). We tried hacking together our own fix, but this really needs to be in composer itself.

looking at the thread, it seems like any custom approach would be easily bypassed by the "backdating the release date" trick that's already been mentioned.

please prioritize merging this, it solves a real problem that we currently have no clean way to fix. thanks for the great work!

Edit: k, #12633 (comment)
Came along that comment, would leave this comment here for future readers that +1 should be avoided as this a a change of something bigger

[Seldaek]

@crocodele composer/packagist#1765 is now live so IF metadata has published-time it should be preferred over time as the release date. This field needs to be added to composer-schema and parsed by ArrayLoader and added to PackageInterface too.

However a few other things since the 2.10 release need to be changed here:

• I've thought about the name and IMO cooldown might be a better name, as it is much shorter and generally how people refer to this as dependency cooldown. Not sure if we need to rename or not, but worth considering.
• This should be configured within the new framework of dependency policies i.e. config: policy: cooldown: { ... }. We need to review the whole config format in depth and make sure names are unified and follow the existing policy stuff tho, I will try and do that next week.
• This cooldown announcement from rubygems made us realize we probably should support cooldown in the outdated command as well, but maybe that should be kept for a follow-up PR as this one is already big enough.

[github-actions]

API Surface Changes

If any of the additions below are not intended as public API, mark them with @internal in the docblock.

New API Surface

Methods

• Composer\DependencyResolver\Pool::isCooldownRemovedPackageVersion — public function isCooldownRemovedPackageVersion(string $packageName, Composer\Semver\Constraint\ConstraintInterface|null $constraint): bool
• Composer\DependencyResolver\Pool::getAllCooldownRemovedPackageVersions — public function getAllCooldownRemovedPackageVersions(): array
• Composer\DependencyResolver\Pool::getCooldownInfoForPackageVersion — public function getCooldownInfoForPackageVersion(string $packageName, Composer\Semver\Constraint\ConstraintInterface|null $constraint): array|null
• Composer\Package\Package::setPublishedDate — public function setPublishedDate(DateTimeInterface|null $publishedDate): void
• Composer\Package\PackageInterface::getPublishedDate — abstract public function getPublishedDate(): DateTimeInterface|null

Properties

• Composer\Package\Package::publishedDate — protected $publishedDate

Modified API Surface

Methods

• Composer\DependencyResolver\Pool::__construct

  - public function __construct(array $packages = [], array $unacceptableFixedOrLockedPackages = [], array $removedVersions = [], array $removedVersionsByPackage = [], array $securityRemovedVersions = [], array $abandonedRemovedVersions = [], array $filterListRemovedVersions = [])
  + public function __construct(array $packages = [], array $unacceptableFixedOrLockedPackages = [], array $removedVersions = [], array $removedVersionsByPackage = [], array $securityRemovedVersions = [], array $abandonedRemovedVersions = [], array $filterListRemovedVersions = [], array $cooldownRemovedVersions = [])

• Composer\DependencyResolver\PoolBuilder::__construct

  - public function __construct(array $acceptableStabilities, array $stabilityFlags, array $rootAliases, array $rootReferences, IOInterface $io, ?EventDispatcher $eventDispatcher = null, ?PoolOptimizer $poolOptimizer = null, array $temporaryConstraints = [], ?SecurityAdvisoryPoolFilter $securityAdvisoryPoolFilter = null, ?FilterListPoolFilter $filterListPoolFilter = null)
  + public function __construct(array $acceptableStabilities, array $stabilityFlags, array $rootAliases, array $rootReferences, IOInterface $io, ?EventDispatcher $eventDispatcher = null, ?PoolOptimizer $poolOptimizer = null, array $temporaryConstraints = [], ?SecurityAdvisoryPoolFilter $securityAdvisoryPoolFilter = null, ?FilterListPoolFilter $filterListPoolFilter = null, ?CooldownPoolFilter $cooldownPoolFilter = null)

• Composer\Repository\RepositorySet::createPool

  - public function createPool(Request $request, IOInterface $io, ?EventDispatcher $eventDispatcher = null, ?PoolOptimizer $poolOptimizer = null, array $ignoredTypes = [], ?array $allowedTypes = null, ?SecurityAdvisoryPoolFilter $securityAdvisoryPoolFilter = null, ?FilterListPoolFilter $filterListPoolFilter = null): Pool
  + public function createPool(Request $request, IOInterface $io, ?EventDispatcher $eventDispatcher = null, ?PoolOptimizer $poolOptimizer = null, array $ignoredTypes = [], ?array $allowedTypes = null, ?SecurityAdvisoryPoolFilter $securityAdvisoryPoolFilter = null, ?FilterListPoolFilter $filterListPoolFilter = null, ?CooldownPoolFilter $cooldownPoolFilter = null): Pool

[crocodele]

@crocodele composer/packagist#1765 is now live so IF metadata has published-time it should be preferred over time as the release date. This field needs to be added to composer-schema and parsed by ArrayLoader and added to PackageInterface too.

Using published-time now when available, falling back to the less-trustworthy time.

However a few other things since the 2.10 release need to be changed here:

• I've thought about the name and IMO cooldown might be a better name, as it is much shorter and generally how people refer to this as dependency cooldown. Not sure if we need to rename or not, but worth considering.

I went with minimum-release-age originally to align with other (non-PHP) tools such as Renovate, npm, and pnpm. Renamed everything from minimum-release-age to cooldown now.

• This should be configured within the new framework of dependency policies i.e. config: policy: cooldown: { ... }. We need to review the whole config format in depth and make sure names are unified and follow the existing policy stuff tho, I will try and do that next week.

Changed the config format.

• This cooldown announcement from rubygems made us realize we probably should support cooldown in the outdated command as well, but maybe that should be kept for a follow-up PR as this one is already big enough.

Yeah, this is almost 3k lines already, so I'll leave this out for now. 😅