Dependency Management & Supply Chain Security

80 to 95 percent of your application is code you did not write – frameworks, libraries, a transitive web of dependencies. If that code is compromised, your application is compromised.

Security vulnerabilities are found faster and faster – through better static analysis and through LLM-based tools. Supply chain attacks on Open Source packages are on the rise. AI agents add dependencies without anyone reviewing the consequences. And updates keep getting postponed until nothing fits together any more.

In this training, you will learn to think about dependency management and supply chain security as one whole. We cover advanced Composer usage, design patterns such as the Adapter for decoupling dependencies, the threat model of the software supply chain, and the automation of safe updates. You will get the tools, the mental model, and the practices to keep your dependencies under control for good – even as the threat landscape keeps getting worse.

A continuous example project accompanies you through all five sessions: it starts as a poorly maintained project and is built up step by step into a production-ready, secured, and automated project that you take home as a reference after the training.

Five two-hour online sessions, moving from symptom to solution to safeguarding to automation. Each session delivers a concrete artefact that you can apply in your own projects afterwards.

• Session 1 – Situation & Composer foundations: Real-world incidents as a situational picture, Composer mechanics under the hood, composer.json vs. composer.lock, Semantic Versioning, and platform requirements.
• Session 2 – Composer for real-world projects: Private repositories and authentication, Composer plugins as a security topic, autoloading strategies, scripts and hooks.
• Session 3 – Architecture: Decouple dependencies with Adapter, Facade, and Anti-Corruption Layer so that updates and replacements do not trigger a chain reaction.
• Session 4 – Supply chain security: An in-depth threat model (SBOM, SLSA, typosquatting, account hijacking), composer audit in practice, Roave Security Advisories, LLM-based security tools.
• Session 5 – Automating updates: Configuring Renovate, CI as a safety net, PHP major updates with Rector, guardrails for AI agents in the update process.

• Understand Semantic Versioning and use version constraints in Composer effectively
• Configure Composer for real-world projects: private repositories, platform requirements, authentication, autoloading
• Decouple dependencies architecturally with Adapter, Facade, and Anti-Corruption Layer
• Understand the threat model of the software supply chain and assess audit findings soundly
• Automate updates with Renovate, safeguarded by CI
• Recognise what LLM-based security tools can do and where their limits are
• Establish guardrails for AI agents that add dependencies

• PHP developers who use Composer but are unsure about configuration and version constraints
• Teams that keep postponing updates because they fear breaking changes
• Developers who take supply chain risks seriously and want to secure their software supply chain
• Tech leads and architects who want to establish a sustainable update and audit process
• Teams where AI agents add dependencies without anyone reviewing the consequences
• Security professionals who want to understand what is possible and common in the Composer world

You should have several months of experience programming in PHP or a similar programming language. Basic Composer knowledge (require, install, update) is helpful but not required – we build the mental model from the ground up. For the exercises you need a local PHP development environment (PHP 8.2 or newer, Composer, Git, a terminal) and an editor of your choice.

• Configure Composer specifically for real-world requirements – including private repositories, platform requirements, and authentication
• Set version constraints deliberately and know when which operator is the right one
• Decouple dependencies architecturally so that updates and replacements do not trigger a chain reaction
• Understand the threat model of the software supply chain and assess audit findings soundly
• Automate updates with Renovate, safeguarded by CI, so that your project stays up to date for good
• Recognise what LLM-based security tools can do and where their limits are
• Have a process for AI agents that add dependencies