Pricore is Now in Public Beta: A Private Composer Registry Built for PHP Teams

Maarten Bode
Maarten Bode

I’m excited to announce the public beta of Pricore, an open-source, self-hosted private Composer registry.

But before I explain what Pricore does and why I built it, let me back up for a moment.

What is a private package registry?

If you write PHP, you already use Composer. It’s the package manager that lets you pull in open-source libraries like Laravel, Symfony, or PHPUnit with a single command. Those packages live on Packagist, a public registry that anyone can publish to and download from.

But what about code you don’t want to share with the world?

Most teams build internal libraries over time: shared authentication logic, API clients for internal services, helper packages used across multiple projects. This code is too valuable to publish publicly, but too useful to copy-paste between repositories.

A private package registry solves this. It works just like Packagist, but only your team can access it. You get all the benefits of Composer (version management, dependency resolution, easy installation) for your private code.

The problem: private PHP packages are a pain

If you’ve tried to manage private packages before, you’ve probably run into one of these approaches:

VCS repositories in composer.json. The most common workaround. You add a Git URL directly to your composer.json, and Composer clones the entire repository every time it resolves dependencies. It works for one or two packages, but it’s slow, doesn’t scale, and clutters your config.

Satis (static file generator). Composer’s official solution for private packages. You define your packages in a JSON file, run a build command, and upload the generated static files to a web server. Every time you release a new version, you rebuild and re-upload. It works, but the manual process gets old fast.

SaaS platforms. Services like Private Packagist handle the hosting for you. They’re polished and reliable, but your package metadata lives on someone else’s servers, and the costs add up as your team grows.

Abandoned open-source projects. A few open-source registries have come and gone over the years. Most were side projects that stopped getting updates, leaving teams stuck on unmaintained software.

None of these options felt right. I wanted something that combined the reliability of a proper application with the control of self-hosting. So I built Pricore.

What is Pricore?

Pricore is a full Composer v2 registry that runs on your own servers. You point it at your Git repositories, and it handles the rest: mirroring, indexing, versioning, and serving packages to Composer.

Pricore dashboard
Packages, downloads, and activity at a glance. One dashboard, zero guesswork.

Here’s what you get:

  • Token-based authentication with per-package access control. Create read-only tokens for CI, scoped tokens for specific packages, or full-access tokens for administrators.
  • Git-based mirroring. Add a GitHub or GitLab repository, and Pricore automatically detects tags and branches, reads your composer.json, and serves each version to Composer. Full support for generic Git and Bitbucket is on the roadmap.
  • Webhook-driven updates. Connect your GitHub or GitLab repositories and when you push a new tag, Pricore picks it up within seconds. No manual rebuilds.
  • A web dashboard for browsing packages, managing access tokens, and viewing download stats. No CLI-only workflows.
  • Full Composer v2 API support including metadata-url for fast dependency resolution. Your composer install stays fast, even with dozens of private packages.

Built on Laravel

Pricore is a Laravel application. If your team already works with Laravel (and if you’re managing private PHP packages, there’s a good chance you do), the codebase will feel familiar.

That means you can read the source, extend the functionality, or contribute back without learning a new framework or language. It’s PHP all the way down.

Open source, no strings attached

Pricore is Apache 2.0 licensed. Every feature available today will remain free forever. If we introduce a Premium tier in the future, it will only add new features. We’ll never move existing functionality behind a paywall. The same code that powers Pricore Cloud runs on your own servers.

Getting started

Three commands, about 60 seconds:

# Download the compose file
curl -o docker-compose.yml \
  https://raw.githubusercontent.com/pricorephp/pricore/main/docker-compose.yml

# Start the application
docker compose up -d

# Create your first user
docker compose exec app php artisan pricore:install

Open http://localhost:8000 and you’re ready to add your first private package.

Don’t want to self-host?

Pricore Cloud is the fully managed version. Same open-source registry, but we handle the servers, updates, and backups. Sign up and start adding packages in minutes.

What’s next?

Pricore is currently in public beta. The core registry works and is ready for use, but there’s more to come. Here’s what’s on the roadmap:

  • Full Git provider support. GitHub and GitLab integrations are complete. Full support for generic Git repositories and Bitbucket is coming next.
  • Team management. Role-based access control with team scoping.
  • CLI companion. A dedicated CLI tool for managing your registry from the terminal.

Get involved

Pricore is open source and contributions are welcome. Bug reports, feature requests, pull requests: it all helps.

Private PHP package management should be simple. Pricore makes it that way.

launch open-source composer php
Back to blog