our company"s current project is based on Laravel. Currently, git does not catch up with the vendor directory. Each update server will pull composer install"s new dependencies on the server.

now, in addition to the web side, we will add the app side. In order to keep the business code clean and clear, we are going to open a new project to write separately, because there will be a lot of duplicate business on the web side and the app side. We are going to package some modules and distribute the installation with composer.

so private warehouses are involved. After checking on the Internet, it is found that satis can build local warehouses, but there is a problem. After satis build, there seems to be no way to restrict authentication. If I expose the warehouse to the public network, then people who know the address can require the packets in it at will, and cannot guarantee security.

the method I have considered here:

set up a special server around the warehouse server and set up the whitelist of IP access.
although this method can control access, sometimes because of the automatic scaling policy, AWS pulls up a new server on its own. When IP is uncertain, it will not be possible to install our private package

track the vendor directory
install only the packages you need locally, upload the vendor directory to git, and the server can just pull.
although this method can solve the problem, due to the different development levels of the team, the content of the lock file may be inconsistent with that of the vendor. What"s more, directly modify the code of the package in vendor, and then someone else has a update, and the code will kneel directly. There are still a lot of risks and not elegant enough.

I would like to ask you, is there any good solution?