Having the ability to have a composer registry for packages is great. But I realized that packages published there are publicly downloadable even if the project itself is private. This means the URL stored for the archive file in composer.lock is accessible without the access token which would be needed to access the API. This leads to
composer install being possible whilst
composer update is not.
Is there a way to change that behavior so that authentication always is required? I did not find any documentation on that specific matter.