Composer 1.x — End of Life
EOLComposer 1.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 1 | Apr 5, 2016 | — | Oct 24, 2020 | 1.10.28 | EOL |
CVEs affecting Composer 1.x (0)
Composer 1.x is EOL — migrate to Composer 2.x
Composer 2.x is the next major release. Plan your upgrade before Composer 1.x stops receiving security patches.
Frequently asked questions
Is Composer 1 end of life?
Yes. All Composer 1.x releases have reached end of life and no longer receive security patches. Migrate to Composer 2.x as soon as possible.
What CVEs affect Composer 1?
No CVEs are currently tracked for Composer 1.x in our database. This may mean no vulnerabilities have been recorded yet, or the data is still syncing.
What is the latest Composer 1 version?
The latest Composer 1.x patch release is 1.10.28, released on May 13, 2026. Always run the latest patch to benefit from all security fixes.
How to migrate from Composer 1 to Composer 2?
To migrate from Composer 1 to Composer 2: (1) review the official Composer 2 migration guide for breaking changes, (2) update dependencies and configuration accordingly, (3) test thoroughly in a staging environment, (4) deploy with a rollback plan. Starting early gives you time to resolve compatibility issues before your current version reaches end of life.
Is it safe to run Composer 1 in production?
No. Composer 1 has reached end of life and security vulnerabilities are no longer patched. Upgrade to a supported version immediately.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA