We ran into a small issue a few days ago: Composer could not install or update anything, because the open-telemetry/opentelemetry package was overwritten with a completely new list of tags. Now I have a few questions how this could even happen.

• Is there some security built into Packagist to not allow packages to be overwritten like this? In this case it was probably an honest mistake, but this could easily be malicious, by taking over a repository, and overwrite the tags one already knows are being used in the wild. Is there some way of protecting against this? Or could Packagist at least document a list of "previously available versions", to indicate that something fishy might be happening?

• On the other end: is there a way to tell Composer to simply ignore the problematic package temporarily? Maybe temporarily use the already known information from the lock file, to determine on that version if any conflicts were present? We were not trying to update this package, as it is already installed, on a fixed version.

With ❤️

• On the other end: is there a way to tell Composer to simply ignore the problematic package temporarily? Maybe temporarily use the already known information from the lock file, to determine on that version if any conflicts were present? We were not trying to update this package, as it is already installed, on a fixed version.

Composer supports partial updates, where any package not listed in the allow-list stays at the version being in the lock file (there is no equivalent using a block-list rather than an allow-list)

• Is there some security built into Packagist to not allow packages to be overwritten like this?

Given that Packagist does not host the tarballs, this would not help much, as you would still need the commit to exist on GitHub.

What @stof said.