How Do You Manage a Single composer.json for Bedrock & Sage with Private Repos?

Hey everyone,

I’m setting up a WordPress site using Bedrock and plan to use a Sage theme pulled from a private GitHub repo. I want to manage everything—plugins and theme—from one composer.json file in Bedrock. Example:

"repositories": [
      "type": "composer",
      "url": "",
      "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
      "type": "vcs",
      "url": ""

Here are a few things I’m curious about:

  • Is it a good idea to handle one bedrock for 10+ projects with the same plugins and sage-theme1, sage-theme2 fetched dynamically based on the url. What should I watch out for?
  • Any tips on integrating a Sage theme from a private repo without having to tweak composer.json for each update?
  • How do you deal with updates, especially with private repos in the mix?

Would love to hear if anyone has a neat setup or tips on making this smooth and secure.