Composer is the standard dependency manager for PHP. It installs, updates, and resolves library versions from repositories such as Packagist, using files like composer.json and composer.lock to control what a project downloads and runs. In practice, Composer is part of the software supply chain: it determines which third-party code enters an application and when updates are applied.
In cyber security, Composer matters because dependency installation often happens in automated build and deployment pipelines. If a package, repository, or update path is compromised, attackers may introduce malicious code into a trusted project. Composer workflows can also touch sensitive CI credentials, so misconfigured permissions or unsafe log handling can expose tokens during dependency jobs. Defenders use lockfiles, version pinning, integrity checks, and least-privilege pipeline settings to reduce the risk.