Gitlab Composer packages available publicly in self hosted

It’s possible to download composer packages if the composer.lock is disclosed

Describe your question in as much detail as possible:

I’ve tested the composer registry feature of gitlab.
I’ve created a project for the package.
I’ve created another project that is using the package.

If the composer.lock is disclosed or you copy urls that points to gitlab composer packages, it’s possible to download these packages without any rights
Ex of an url in the composer.lock file https://[instance]/api/v4/projects/[Namespace Number]/packages/composer/archives/[NS]/[Project].zip?sha=[GOOD SHA HASH]
We are on a self hosted instance, and the project is internal. If I copy and paste this url I am able to download this package with my browser in incognito mode.

  • What are you seeing, and how does that differ from what you expect to see?
    I think that it must be possible to download the composer package only with an appopriate token.

  • What version are you on? Are you using self-managed or
    Self Managed 14.7

    • GitLab (Hint: /help):
    • Runner (Hint: /admin/runners):
  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)
    The CI configuration for generating the package is a copy and paste of the documentation as seen here :
    Composer packages in the Package Registry | GitLab

  • What troubleshooting steps have you already taken? Can you link to any docs or other resources so we know where you have been?