Is there a way to protect package archives in the composer registry from being publicly downloadable?


Having the ability to have a composer registry for packages is great. But I realized that packages published there are publicly downloadable even if the project itself is private. This means the URL stored for the archive file in composer.lock is accessible without the access token which would be needed to access the API. This leads to composer install being possible whilst composer update is not.

Is there a way to change that behavior so that authentication always is required? I did not find any documentation on that specific matter.

Kind regards,