SLFO-pool/php-composer2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
php-composer2/php-composer2.changes

1042 lines
59 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Wed Jul 2 10:49:10 UTC 2025 - pgajdos@suse.com
- version update to 2.8.9
* Fixed json schema issues with version validation (#12376)
* Fixed bump-after-update triggering after an update --lock, which makes no sense (#12371)
* Fixed zip bomb false positives when unpacking using ZipArchive (#12409)
* Fixed creation of empty archives (#12408)
* Removed output of script being run when running via composer <script-name> (#12383)
- modified sources
% composer.phar
-------------------------------------------------------------------
Tue Apr 22 10:31:49 UTC 2025 - pgajdos@suse.com
- fix keyring (https://github.com/composer/composer/issues/12009)
- modified sources
% php-composer2.keyring
-------------------------------------------------------------------
Thu Apr 17 08:07:49 UTC 2025 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 2.8.8
- Fixed json schema issues with version validation
- Fixed issues running on 32bit machines
- Update to version 2.8.7
- Added COMPOSER_MAX_PARALLEL_PROCESS env var to control max amount of parallel processes Composer will start
- Added zstd/brotli presence in diagnose command output
- Fixed error handler to avoid spamming deprecation notices
- Fixed InstalledVersions returning duplicate data at Composer runtime
- Fixed handling of --with ... constraints to make them apply to packages replaced a package with a different name
- Fixed deprecation warnings showing up in IDE code inspections within the vendor dir
- Fixed a few json schema completeness issues
- Fixed issue autoloading files with a .phar inside the path
- Update to version 2.8.6
- Added COMPOSER_WITH_DEPENDENCIES and COMPOSER_WITH_ALL_DEPENDENCIES env vars to enable the --with[-all]-dependencies flags
- Added COMPOSER_SKIP_SCRIPTS env var to tell Composer to skip certain script handlers by script names (comma separated)
- Fixed handling of backslash in folder names when creating archives
- Fixed detection of containerd for containers to avoid warning about root usage
- Update to version 2.8.5
- Fixed InstalledVersions regression from 2.8.4 when reload() is used
- Fixed psr-0/psr-4 rules having unstable order in vendor/composer/autoload*.php
- Fixed a few warnings happening incorrectly in edge cases
- Update to version 2.8.4
- Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both)
- Fixed issue on plugin upgrade when it defines multiple classes
- Fixed duplicate errors appearing in the output depending on php settings
- Fixed InstalledVersions returning duplicate data in some instances
- Fixed installed.php sorting to be deterministic
- Fixed bump-after-update failing when using inline constraints
- Fixed create-project command to now disable symlinking when used with a path repo as argument
- Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant
- Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway
- Fixed curl usage to disable multiplexing on broken versions when proxies are in use
- Update to version 2.8.3
- Fixed react/promise requirement to allow 2.x installs again
- Fixed some issues when lock:false is set in require and bump commands
- Update to version 2.8.2
- Fixed crash while suggesting providers if they have no description
- Fixed issues creating lock files violating the schema in some circumstances
- Fixed create-project regression in 2.8.1 when using path repos with relative paths
- Fixed ctrl-C aborts not working inside text prompts
- Fixed git failing silently when git cannot read a repo due to ownership violations
- Fixed handling of signals in non-PHP binaries run via proxies
- Update to version 2.8.1
- Fixed init command regression when no license is provided
- Fixed --strict-ambiguous flag handling whereas it sometimes did not report all issues
- Fixed create-project to inherit the target folder's permissions for installed project files
- Fixed a few cases where the prompt for using a parent dir's composer.json fails to work correctly
- Update to version 2.8.0
- BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes
- Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer
- Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting
- Added --ignore-severity flag to the audit command to ignore one or more advisory severities
- Added --bump-after-update flag to the update command to run bump after the update is done
- Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs
- Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies
- Added a JSON schema for the composer.lock file
- Added better support for Bitbucket app passwords when cloning repos / installing from source
- Added --type flag to filter packages by type(s) in the reinstall command
- Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found
- Added warning in dump-autoload when vendor files have been deleted
- Added warnings for each missing platform package when running create-project to avoid having to run it again and again
- Added sorting of packages in allow-plugins when sort-packages is enabled
- Added suggestion of provider packages / polyfills when an ext or lib package is missing
- Improved interactive package update selection by first outputting all packages and their possible updates
- Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way
- Fixed PHP 8.4 deprecation warnings about E_STRICT
- Fixed init command to validate the given license identifier
- Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches
- Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0
- Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs
- Fixed php://stdin potentially being open several times when running Composer programmatically
- Fixed handling of platform packages in why-not command and partial updates
- Added source signature and keyring
-------------------------------------------------------------------
Tue Nov 12 12:43:04 UTC 2024 - pgajdos@suse.com
- version update to 2.7.9
2.7.9
Fixed Docker detection breaking on constrained environments (#12095)
Fixed upstream issue in bash completion script, it is recommended to update it using the completion command (#12015)
2.7.8
Added release-age, release-date and latest-release-date in the JSON output of outdated (#12053)
Fixed PHP 8.4 deprecation warnings
Fixed addressability of branches containing # signs (#12042)
Fixed bump command not handling some ~ constraints correctly (#12038)
Fixed COMPOSER_AUTH not taking precedence over ./auth.json (#12084)
Fixed relative: true sometimes not being respected in path repo symlinks (#12092)
Fixed copy from cache sometimes failing on VirtualBox shared folders (#12057)
Fixed PSR-4 autoloading order regression in some edge case (#12063)
Fixed duplicate lib-* packages causing issues when having pecl + core versions of the same PHP extension (#12093)
Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)
Fixed memory issues when installing large binaries (#12032)
Fixed archive command crashing when a path cannot be realpath'd on windows (#11544)
API: Deprecated BasePackage::$stabilities in favor of BasePackage::STABILITIES (685add7)
Improved Docker detection (#12062)
- modified sources
% composer.phar
-------------------------------------------------------------------
Tue Jun 11 07:12:44 UTC 2024 - pgajdos@suse.com
- version update to 2.7.7 [bsc#1226181][bsc#1226182]
2.7.7 2024-06-10
Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
Fixed perforce argument escaping (3773f775)
Fixed handling of zip bombs when extracting archives (de5f7e32)
Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)
2.7.6 2024-05-04
Fixed regression when script handlers add an autoloader which uses a private callback (#11960)
2.7.5 2024-05-03
Added uninstall alias to remove command (#11951)
Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
Fixed root usage warnings showing up within Podman containers (#11946)
Fixed config command not handling objects correctly in some conditions (#11945)
Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)
2.7.4 2024-04-22
Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)
2.7.3 2024-04-19
BC Warning: Fixed https_proxy env var falling back to http_proxy's value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#11915)
Fixed show and outdated commands to remove leading v in e.g. v1.2.3 when showing lists of packages (#11925)
Fixed audit command not showing any id when no CVE is present, the advisory ID is now shown (#11892)
Fixed the warning about a missing default version showing for packages with project type as those are typically not versioned and do not have cyclic dependencies (#11885)
Fixed PHP 8.4 deprecation warnings
Fixed clear-cache command to respect the config.cache-dir setting from the local composer.json (#11921)
Fixed status command not handling failed download/install promises correctly (#11889)
Added support for buy_me_a_coffee in GitHub funding files (#11902)
Added hg support for SSH urls (#11878)
Fixed some env vars with an integer value causing a crash (#11908)
Fixed context data not being output when using IOInterface as a PSR-3 logger (#11882)
2.7.2 2024-03-11
Added info about the PHP version when running composer --version (#11866)
Added warning when the root version cannot be detected (#11858)
Fixed plugins still being enabled in a few contexts when running as root (c3efff91f)
Fixed outdated --ignore ... still attempting to load the latest version of the ignored packages (#11863)
Fixed handling of broken symlinks in the middle of an install path (#11864)
Fixed update --lock still incorrectly updating some metadata (#11850, #11787)
2.7.1 2024-02-09
Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
Fixed diagnose auditing of Composer dependencies failing when running from the phar
- modified sources
% composer.phar
-------------------------------------------------------------------
Wed Feb 21 23:07:27 UTC 2024 - Bernd Ritter <comrad@opensuse.org>
- Updated composer2.phar to match upstreams sha256 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0
-------------------------------------------------------------------
Mon Feb 12 09:54:13 UTC 2024 - pgajdos@suse.com
- version update to 2.7.1 [bsc#1219757] CVE-2024-24821
2.7.1
* Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
* Fixed diagnose auditing of Composer dependencies failing when running from the phar
2.7.0
* Security: Fixed code execution and possible privilege escalation via compromised
vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
* Changed the default of the audit.abandoned config setting to fail, set it to report or
ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
* Added --minimal-changes (-m) flag to update/require/remove commands to perform
partial update with --with-dependencies while changing only what is absolutely
necessary in transitive dependencies (#11665)
* Added --sort-by-age (-A) flag to outdated/show commands to allow
sorting by and displaying the release date (most outdated first) (#11762)
* Added support for --self combined with --installed or --locked in show command, to
add the root package to the package list being output (#11785)
* Added severity information to audit command output (#11702)
* Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
* Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force
IPv4 or IPv6, set it to 4 or 6 (#11791)
* Added support for wildcards in outdated's --ignore arg (#11831)
* Added support for bump command bumping * to >=current version (#11694)
* Added detection of constraints that cannot possibly match anything to validate command (#11829)
* Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
* Added audit of Composer's own bundled dependencies in diagnose command (#11761)
* Added GitHub token expiration date to diagnose command output (#11688)
* Added non-zero status code to why/why-not commands (#11796)
* Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
* Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
* Fixed bump command not bumping packages required with a v prefix (#11764)
* Fixed automatic disabling of plugins when running non-interactive as root
* Fixed update --lock not keeping the dist reference/url/checksum pinned (#11787)
* Fixed require command crashing at the end if no lock file is present (#11814)
* Fixed root aliases causing problems when auditing locked dependencies (#11771)
* Fixed handling of versions with 4 components in require command (#11716)
* Fixed compatibility issues with Symfony 7
* Fixed composer.json remaining behind after a --dry-run of the require command (#11747)
* Fixed warnings being shown incorrectly under some circumstances (#11786, #11760, #11803)
2.6.6
* Fixed symfony/console requirement to exclude 7.x as Composer 2.6 is not compatible, 2.7 will be (#11741)
* Fixed libpq parsing to use the global constant if available (#11684)
* Fixed error output when updating with a temporary constraint fails (#11692)
- modified sources
% composer.phar
-------------------------------------------------------------------
Thu Oct 12 13:47:04 UTC 2023 - Ish Sookun <ish@hacklog.in>
- version update to 2.6.5
* 2.6.5 2023-10-06
- Fixed error when vendor dir contains broken symlinks (#11670)
- Fixed composer.lock missing from Composer's zip archives (#11674)
- Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0)
-------------------------------------------------------------------
Mon Oct 2 09:40:31 UTC 2023 - pgajdos@suse.com
- version update to 2.6.4
* 2.6.4 2023-09-29 [bsc#1215859]
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,
executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed json output of abandoned packages in audit command (#11647)
- Performance improvement in pool optimization step (#11638)
- Performance improvement in show -a <packagename> (#11659)
* 2.6.3 2023-09-15
- Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future
default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
- Added a warning when duplicates files autoload rules are detected (#11109)
- Fixed unhandled promise rejection regression (#11620)
- Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
- Fixed archive command not producing the correct output if the temp dir is a symlink (#11636)
- Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629)
* 2.6.2 2023-09-03
- Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them,
they are now more transparent (#11562)" which caused a regression (#11617)
- Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit
audits with require, create-project or update commands (#11616)
- Fixed create-project infinite post-install loop in some circumstances (#11613)
* 2.6.1 2023-09-01
- Reverted "Fixed executability of non-php binaries which are not marked executable (#11557)" which
caused a regression (#11612)
* 2.6.0 2023-09-01
- Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
- Added rm alias to the remove command (#11367)
- Added runtime platform check to verify the php-64bit requirement is met (#11334)
- Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
- Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying
the filesystem (#11608)
- Added support for bumping patch level in ~1.2.3 constraints (#11590)
- Added prompt in require if the package name is not found but similar ones exist (#11284)
- Added support for env vars and ~ in repository paths for vcs and artifact repositories (#11453)
- Added support for local directory paths for repositories of type composer (#11526)
- Added links to package homepages in why/why-not command output (#11308)
- Added a security key to the support key of composer.json to set the URL to the vulnerability
disclosure policy (#11271)
- Added support for gathering security advisories from multiple repositories for a single package (#11436)
- Fixed install exit code to be non-zero (5) if a requested security audit failed (#11362)
- Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them, they are now
more transparent (#11562) (Reverted in 2.6.2)
- Fixed executability of non-php binaries which are not marked executable (#11557) (Reverted in 2.6.1)
- Fixed mtime modification of the vendor dir to only happen when packages are modified, and not require
lock file modification to happen (#11593)
- Fixed create-project using the wrong composer.json file if one was set via the COMPOSER env var (#11493)
- Fixed json editing to preserve indentation when updating json files (#11390)
- Fixed handling of broken junctions on windows (#11550)
- Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
- Fixed svn repo parsing in some edge cases (#11350)
- Fixed handling of archive URLs without file extension (#11520)
- Performance improvement in pool optimization step (#11449, #11450)
- modified sources
% composer.phar
-------------------------------------------------------------------
Thu Jul 27 10:13:04 UTC 2023 - Ish Sookun <ish@hacklog.in>
- Update to version 2.5.8
* Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
* Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490)
* Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
* Fixed type declarations on ClassLoader (#11500)
- Update to version 2.5.7
* Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)
- Update to version 2.5.6
* BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
* Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
* Fixed lock file verification on install to deal better with replace/provide (#11475)
* Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
* Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed getmypid being required as it is not always available (#11401)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
-------------------------------------------------------------------
Tue Mar 21 11:38:06 UTC 2023 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.5
* Fixed basic auth failures resulting in infinite retry loop (#11320)
* Fixed GitHub rate limit reporting (#11366)
* Fixed InstalledVersions error in Composer 1 compatibility edge case (#11304)
* Fixed issue displaying solver problems with branch names containing `%` signs (#11359)
* Fixed race condition in cache validity detection when running Composer highly concurrently (#11375)
* Fixed various minor config command issues (#11353, #11302)
-------------------------------------------------------------------
Wed Feb 15 15:09:27 UTC 2023 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.4
* Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11318)
- Update to version 2.5.3
* Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#11315)
-------------------------------------------------------------------
Sat Feb 4 14:10:18 UTC 2023 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.2
* Added warning when `require` auto-selects a feature branch as that is probably not desired (#11270)
* Fixed `self.version` requirements reporting lock file integrity errors when changing branches (#11283)
* Fixed `require` regression which broke the --fixed flag (#11247)
* Fixed security audit reports loading when exclude/only filter rules are used on a repository (#11281)
* Fixed autoloading regression on PHP 5.6 (#11285)
* Fixed archive command including an existing archive into itself if run repeatedly (#11239)
* Fixed dev package prompt in `require` not appearing in some conditions (#11287)
-------------------------------------------------------------------
Sun Dec 25 05:14:42 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.1
* Fixed ClassLoader regression which made it fail if serialized (e.g. within PHPUnit process isolation) (#11237)
* Fixed preg type error in svn version guessing (#11231)
-------------------------------------------------------------------
Wed Dec 21 12:31:32 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.0
* BC Warning: To prevent abuse of our includeFile() function it is now gone, it was not part of the official API but may still cause issues if some code incorrectly relied on it (#11015)
* Improved version guessing of `require` command to use the dependency resolution result instead of using the latest available version (except if you run with --no-update) (#11160)
* Improved version selection in `archive` command (#11230)
* Added autocompletion of config option names in the `config` command (#11130)
* Added support for writing [custom commands as Command classes](https://getcomposer.org/doc/articles/scripts.md#writing-custom-commands) (#11151)
* Added hard failure when installing from a lock file which does not satisfy the composer.json requirements (#11195)
* Added warning when the outdated command rejects a new package due to unmet platform requirements (#11113)
* Added support for `bump` command to bump `>=x` to `>=installed-version` (#11179)
* Added `--download-only` flag to `install` command to only download and prime the cache with the package archives (#11041)
* Added autoconfiguration of `github-domains`/`gitlab-domains` when GitHub/GitLab credentials are configured for a custom domain (#11062)
* Added hard failure (throw) if COMPOSER_AUTH is present and malformed JSON (#11085)
* Added interactive prompt to `run-script` and `exec` commands if run without any argument (#11157)
* Added interactive prompt where to store credentials when a project-local auth.json exists (#11188)
* Fixed full disk warning to be shown when less than 100MiB is available (#11190)
* Fixed cache keys to allow `_` to avoid conflicts between package names like `a-b` and `a_b` (#11229)
* Fixed docker compatibility by making paths more portable even if the project is installed at `/` (#11169)
-------------------------------------------------------------------
Sun Nov 6 11:39:12 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.4.4
* Added extra debug output when a zip extraction fails while on
GitHub Actions (#11148)
* Fixed cache write failures when the cache dir gets removed during
a composer run (#11076)
* Fixed 2.4.3 regression in loading Composer on SMB/network shares
(#11077)
* Fixed --dry-run flag missing from bump command (#11047)
* Fixed status command reporting differences when the source ref is
a tag (#11155)
* Fixed outdated command outputting legend on stdout instead of stderr
* Fixed URL sanitizer to handle new GitHub personal access tokens
format (#11137)
- Update to version 2.4.3
* BC Break: The json format of audit command now has reportedAt as an
RFC3339 string instead of an object which was a mistake (#11120)
* Fixed json format of audit command which was missing affectedVersions
(#11120)
* Fixed plugin commands not being loaded during bash completions
(#11074)
* Fixed parsing of inline aliases within complex constraints with
|| or , (#11086)
* Fixed min-php version check in autoload.php to avoid crashing sites
running on PHP 5.5 or below silently with a 200 (#11091)
* Fixed JsonFile reading files without checking if they are readable
first (#11077)
* Fixed require command with --dry-run failing when requiring a package
requiring stability flag extraction (#11112)
-------------------------------------------------------------------
Sun Sep 25 06:24:30 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.4.2
* Fixed bash completion hanging when running as root without
COMPOSER_ALLOW_SUPERUSER set (#11024)
* Fixed handling of plugin activation when running as root without
COMPOSER_ALLOW_SUPERUSER set so it always happens after prompting,
or does not happen if input is non-interactive
* Fixed package filter on bump command (#11053)
* Fixed handling of --ignore-platform-req with upper-bound ignores
to not apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
* Fixed handling of zero-major versions in outdated command with
--major-only (#11032)
* Fixed show --platform regression since 2.4.0 when running in a
directory without composer.json (#11046)
* Fixed a few strict type errors
- Update to version 2.4.1
* Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit
flag in CI (#10998)
* Fixed show command showing packages in two sections, this was only
meant for the outdated command (#11000)
* Fixed local git repos being copied to cache unnecessarily (#11001)
* Fixed git cache invalidation issue when a git tag gets created after
the cache has loaded a given reference (#11004)
- Update to version 2.4.0
* Added bash completions for Composer commands, package names, etc
(see how to setup) (#10320)
* Added bump command to bump requirements to the currently installed
version (#10829)
* Added audit command to check for known security vulnerabilities in
installed packages (#10798, #10898)
* Added automatic auditing of security vulnerabilities after update
is done, can be overridden with --no-audit (#10798, #10898)
* Added --audit to install command to also do an audit (#10798, #10898)
* Added json format output to the check-platform-reqs command (#10979)
* Added GitLab 15+ token refresh support (#10988)
* Added r alias to require command (#10953)
* Added composer/class-map-generator dependency to replace
Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
* Added --locked to depends/prohibits commands (#10834)
* Added --strict-psr flag to dump-autoload command to fail the process
if PSR violations were detected, useful for CI (#10886)
* Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars
to turn on --prefer-stable/--prefer-lowest on update and require
command, useful for CI (#10919)
* Added support for temporary update constraints on all packages
(now also including non-root dependencies) (#10773)
* Added --major-only flag to the outdated command to show only
packages with major version updates (#10827)
* Added sections for direct and transitive deps in outdated command
output (#10779)
* Added ability for cache GC to clean up vcs and repo caches (#10826)
* Added --gc flag to clear-cache to only trigger a garbage collection
instead of clearing everything (#10826)
* Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait
for the child process to exit before Composer exits to avoid
dropping output (#10958)
* Added prompt suggesting using --dev when requiring packages with
dev/testing/static analysis keywords present (#10960)
* Added warning in require, init and create-project commands when
the latest version of a package cannot be used due to platform
requirements (#10896)
* Fixed COMPOSER_NO_DEV so it also works with require and remove's
--update-no-dev (#10995)
-------------------------------------------------------------------
Sat Jul 16 06:27:13 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.3.10
* Fixed plugins from CWD/vendor being loaded in some cases like
create-project or validate even though the target directory is
outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo)
plugins which will not warn/error anymore if not in allow-plugins,
as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins
into account (#10925)
* Fixed support for disable_functions containing disk_free_space
(#10936)
* Fixed RootPackageRepository usages to always clone the root package
to avoid interoperability issues with plugins (#10940)
- Update to version 2.3.9
* Fixed non-interactive behavior of allow-plugins to throw instead
of continue with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2
can be installed with only a warning but plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
* Fixed type errors (#10924)
-------------------------------------------------------------------
Sat Jul 2 06:03:18 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.3.8
* Fixed support for cache-read-only where the filesystem is not writable (#10906)
* Fixed type error when using allow-plugins: true (#10909)
* Fixed @putenv scripts receiving arguments passed to the command (#10846)
* Fixed support for spaces in paths with binary proxies on Windows (#10836)
* Fixed type error in GitDownloader if branches cannot be listed (#10888)
* Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
* Fixed type errors (#10904, #10897)
-------------------------------------------------------------------
Sat Jun 11 08:25:54 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.3.7
* Fixed a few PHPStan ConfigReturnTypeExtension bugs
* Fixed Config default for auth configs to be empty arrays instead
of null, fixes issues with diagnose command (#10814)
* Fixed handling of broken symlinks when checking whether a package
is still installed (#6708)
* Fixed bin proxies to allow a proxy to include another one safely
(#10823)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
-------------------------------------------------------------------
Fri Jun 3 05:20:13 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.3.6
* Added Composer\PHPStan\ConfigReturnTypeExtension to improve return
types of Config::get() which you can also use in plugins CI (#10635)
* Fixed name validation regex in schema causing issues with JS IDEs
like VS Code (#10811)
* Fixed unnecessary HTTP request in BitbucketDriver (#10729)
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation
is disabled
* Fixed race condition when multiple requests asking for auth on the
same hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function
(#10786)
* Fixed various type errors (#10753, #10739, #10751)
-------------------------------------------------------------------
Thu May 5 15:23:25 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 2.3.5
* Security: Fixed command injection vulnerability in
HgDriver/GitDriver: CVE-2022-24828
* Added warning when downloading a file with verify_peer[_name] disabled
* Fixed curl downloader not retrying when a DNS resolution failure occurs
* Fixed composer.lock file still being used/read when the lock
config option is disabled
* Fixed validate command checking the lock file even if the lock
option is disabled
* Fixed detection of default branch name when it changed since a
git repo was mirrored in cache dir
- Update to version 2.3.4
* Fixed the generated autoload.php to support running on PHP 5.6+
(down from 7.0+) and warn clearly on older PHP versions
* Fixed run-script --list flag regression
* Fixed curl downloader handling of DNS resolution failures to do
an automatic retry
* Fixed various type errors
* [bsc#1198494]
-------------------------------------------------------------------
Sun Apr 3 07:39:55 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.3.3
* Added --2.2 flag to `self-update` to pin the Composer version to
the 2.2 LTS range (#10682)
* Added missing config.bitbucket-oauth in composer-schema.json
* Fixed type errors in SvnDriver (#10681)
* Fixed --version output to match the pre-2.3 one (#10684)
* Fixed config/auth.json files not being validated against the
composer-schema.json (#10685)
* Fixed generation of autoload crashing if a package has a broken
path (#10688)
* Fixed GitDriver state issue when reusing old cache dirs and the
default branch was renamed (#10687)
* Updated semver, jsonlint deps for minor fixes
* Removed dev-master=>dev-main alias from #10372 as it does not
work when reloading from lock file and extracting dev deps (#10651)
- Update to version 2.3.2
* Fixed type error when running `exec` command (#10672)
* Fixed endless loop in plugin activation prompt when input is not
fully interactive yet appears to be (#10648)
* Fixed type error in ComposerRepository (#10675)
* Fixed issues loading platform packages where the version of a
library cannot be established (#10631)
- Update to version 2.3.1
* Fixed type error when HOME env var is not set (#10670)
- Update to version 2.3.0
* Fixed many strict types errors (#10646, #10642, #10647, #10658,
#10656, #10665, #10660, #10663, #10662)
* Fixed invalid return value in ComposerRepository::findPackage
(#10622)
* Fixed many `show` command issues due to a flipped condition
(#10623)
* Fixed `phpversion()` handling when it returns false due to an
extension defining no version (#10631)
* Fixed `remove` command failing when no `allow-plugin` is defined
in config (#10629)
* Performance improvement in Composer bootstrapping (version guessing)
when on a feature branch (#10632)
* BC Break: the minimum PHP version is now 7.2.5+, use the
[Composer 2.2 LTS](https://github.com/composer/composer/issues/10340)
if you are stuck with an older PHP (#10343)
* BC Break: added native parameter & return types to many internal
APIs, we explicitly left the most extended/implemented symbols
untouched but if this causes problems nonetheless please report
it ASAP (#10547, #10561)
* BC Break: added visibility to all constants, a few internal ones
have been made private/protected, if this causes problems please
report it ASAP (#10550)
* BC Break: the minimum supported Symfony components version is
now 5.4, this only affects you if you are requiring composer/
composer directly however, which is generally frowned upon
* Bumped `composer-plugin-api` to `2.3.0`
* Bumped bundled Symfony components from 2.8 to 5.4 🥳
* Added `declare(strict_types=1)` to all the classes, which for
sure could cause regressions in edge cases, please report with
stack traces (#10567)
* Added `--patch-only` to the `outdated` command to only show
updates to patch versions and ignore new major/minor versions
(#10589)
* Added clickable links to various commands for terminals which
support it (#10430)
* Added ProcessExecutor ability to receive commands as arrays by
(internals/plugin change only) (#10435)
* Added abandoned flag to `show`/`outdated` commands JSON-formatted
output (#10485)
* Added config.reference option to `path` repositories to configure
the way the reference is generated, and possibly reduce composer.lock
conflicts (#10488)
* Added automatic removal of allow-plugins rules when removing a
plugin via the `remove` command (#10615)
* Added COMPOSER_IGNORE_PLATFOR_REQ & COMPOSER_IGNORE_PLATFOR_REQS
env vars to configure the equivalent flags (#10616)
* Added support for Symfony 6.0 components
* Added support for psr/log 3.x (#10454)
* Fixed symlink creation in linux VM guest filesystems to be
recognized by Windows (#10592)
* Performance improvement in pool optimization step (#10585)
-------------------------------------------------------------------
Fri Feb 25 13:48:06 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 2.2.7
* Fixed support for packages with no licenses in licenses
command output
* Fixed handling of allow-plugins: false which kept warning
* Fixed enum parsing in classmap generation when the enum keyword
is not lowercased
* Fixed author parsing in init command requiring an email whereas
the schema allows a name only
* Fixed issues in require command when requiring packages which
do not exist (but are provided by something else you require)
* Performance improvement in pool optimization step
-------------------------------------------------------------------
Sat Feb 19 03:50:13 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.2.6
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for
binaries added in Composer 2.2.2 had to be renamed to
COMPOSER_RUNTIME_BIN_DIR (#10512)
* Fixed enum parsing in classmap generation with syntax like enum
foo:string without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd
events (#10514)
* Fixed edge case in path repositories where a symlink: true option
would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console
releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
- Update to version 2.2.5
* Disabled composer/package-versions-deprecated by default as it
can function using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present
in the directory (#10406)
* Fixed binary proxy issue on PHP <8 when fseek is used on the
proxied binary path (#10468)
* Fixed handling of non-string versions in package repositories
metadata (#10470)
- Update to version 2.2.4
* Fixed handling of process timeout when running async processes
during installation
* Fixed GitLab API handling when projects have a repository
disabled (#10440)
* Fixed reading of environment variables (e.g. APPDATA) containing
unicode characters to workaround a PHP bug on Windows (#10434)
* Fixed partial update issues with path repos missing if a path
repo is required by a path repo (#10431)
* Fixed support for sourcing binaries via the new bin proxies (#10389)
* Fixed messaging when GitHub tokens need SSO authorization (#10432)
-------------------------------------------------------------------
Mon Feb 7 12:30:44 UTC 2022 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- PHP Composer 2 requires PHP 7.2.5 at least
-------------------------------------------------------------------
Thu Feb 3 13:17:29 UTC 2022 - pgajdos@suse.com
- php is not required for build
-------------------------------------------------------------------
Thu Jan 6 16:52:22 UTC 2022 - pgajdos@suse.com
- version update to 2.2.3
2.2.3 2021-12-31
* Fixed issue with PHPUnit and process isolation now including PHPUnit
<6.5 (#10387)
* Fixed interoperability issue with laminas/laminas-zendframework-bridge
and Composer 2.2 (#10401)
* Fixed binary proxies for shell scripts to work correctly when they are
symlinked (jakzal/phpqa#336)
* Fixed overly greedy pool optimization in cases where a locked package
is not required by anything anymore in a partial update (#10405)
2.2.2 2021-12-29
* Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing
the path to the bin-dir for binaries. Packages relying on finding the
bin dir with $BASH_SOURCES[0] will need to update their binaries (#10402)
* Fixed issue when new binary proxies are combined with PHPUnit and process
isolation (#10387)
* Fixed deprecation warnings when using Symfony 5.4+ and requiring
composer/composer itself (#10404)
* Fixed UX of plugin warnings (#10381)
2.2.1 2021-12-22
* Fixed plugin autoloading including files autoload rules from the root
package (#10382)
* Fixed issue parsing php files with unterminated comments found inside
backticks (#10385)
2.2.0 2021-12-22
* Added support for using dev-main as the default path repo package
version if no VCS info is available (#10372)
* Added --no-scripts as a globally supported flag to all Composer commands
to disable scripts execution (#10371)
* Fixed self-update failing in some edge cases due to loading plugins
(#10371)
* Fixed display of conflicts showing the wrong package name in some
conditions (#10355)
2.2.0-RC1 2021-12-08
* Bumped composer-runtime-api and composer-plugin-api to 2.2.0
* UX Change: Added allow-plugins config value to enhance security against
runtime execution, this will prompt you the first time you use a plugin
and may hang pipelines if they aren't using --no-interaction (-n) as they
should (#10314)
* Added an optimization pass to reduce the amount of redundant inspected
during resolution, drastically improving memory and CPU usage (#9261,
#9620)
* Added a global $_composer_autoload_path variable containing the path
to autoload.php for binaries (#10137)
* Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
* Added support for ignoring the upper bound of platform requirements
using "name+" notation e.g. using --ignore-platform-req=php+ would
allow installing a package requiring php: 8.0.* on PHP 8.1, but not on
PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
* Added support for setting platform packages to false in
config.platform to disable/hide them (#10308)
* Added use-parent-dir option to configure the prompt for using
composer.json in upper directory when none is present in current dir
(#10307)
* Added composer platform package which is always the exact version of
Composer running unlike composer-*-api packages (#10313)
* Added a --source flag to config command to show where config values
are loaded from (#10129)
* Added support for files autoloaders in the runtime scripts/plugins
contexts (#10065)
* Added retry behavior on certain http status and curl error codes (#10162)
* Added abandoned flag display in search command output
* Added support for --ignore-platform-reqs in outdated command (#10293)
* Added --only-vendor (-O) flag to search command to search (and return)
vendor names (#10336)
* Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
* Fixed archive command to behave more like git archive, gitignore/hgignore
are not taken into account anymore, and gitattributes support was improved
(#10309)
* Fixed unlocking of replacers when a replaced package is unlocked (#10280)
* Fixed auto-unlocked path repo packages also unlocking their transitive
deps when -w/-W is used (#10157)
* Fixed handling of recursive package links (e.g. requiring or replacing
oneself)
* Fixed env var reads to check $_SERVER and $_ENV before getenv for broader
ecosystem compatibility (#10218)
* Fixed archive command to produce archives with files sorted by name (#10274)
* Fixed VcsRepository issues where server failure could cause missing
tags/branches (#10319)
* Fixed some error reporting issues (#10283, #10339)
-------------------------------------------------------------------
Sat Dec 11 14:22:54 UTC 2021 - Yunhe Guo <i@guoyunhe.me>
- Use update-alternatives
- Update to 2.1.14
* Fixed invalid release build (2.1.13 was deleted as invalid)
* Removed symfony/console ^6 support as we cannot be compatible
until Composer 2.3.0 is released. If you have issues with
Composer required as a dependency + Symfony make sure you stay
on Symfony 5.4 for now. (#10321)
-------------------------------------------------------------------
Wed Nov 10 12:18:57 UTC 2021 - Yunhe Guo <i@guoyunhe.me>
- Obsoletes php-composer (version 1.x)
- Update to 2.1.12
* Fixed issues in proxied binary files relying on __FILE__ / __DIR__
on php <8 (#10261)
* Fixed 9999999-dev being shown in some cases by the show command (#10260)
* Fixed GitHub Actions output escaping regression on PHP 8.1 (#10250)
- Update to 2.1.11
* Fixed issues in proxied binary files when using declare() on php <8 (#10249)
* Fixed GitHub Actions output escaping issues (#10243)
- Update to 2.1.10
* Added type annotations to all classes, which may have an effect on
CI/static analysis for people using Composer as a dependency (#10159)
* Fixed CurlDownloader requesting gzip encoding even when no gzip
support is present (#10153)
* Fixed regression in 2.1.6 where the help command was not working for
plugin commands (#10147)
* Fixed warning showing when an invalid cache dir is configured but
unused (#10125)
* Fixed require command reverting changes even though dependency
resolution succeeded when something fails in scripts for example (#10118)
* Fixed require not finding the right package version when some newly
required extension is missing from the system (#10167)
* Fixed proxied binary file issues, now using output buffering (e1dbd65)
* Fixed and improved error reporting in several edge cases (#9804,
#10136, #10163, #10224, #10209)
* Fixed some more Windows CLI parameter escaping edge cases
- Update to 2.1.9
* Security: Fixed command injection vulnerability on Windows
(GHSA-frqg-7g38-6gcf / CVE-2021-41116)
* Fixed classmap parsing with a new class parser which does not rely
on regexes anymore (#10107)
* Fixed inline git credentials showing up in output in some conditions
(#10115)
* Fixed support for running updates while offline as long as the
cache contains enough information (#10116)
* Fixed show --all foo/bar which as of 2.0.0 was not showing all
versions anymore but only the installed one (#10095)
* Fixed VCS repos ignoring some versions silently when the API rate
limit is reached (#10132)
* Fixed CA bundle to remove the expired Let's Encrypt root CA
-------------------------------------------------------------------
Fri Sep 17 10:41:52 UTC 2021 - pgajdos@suse.com
- requires php-mbstring [bnc#1187416]
-------------------------------------------------------------------
Wed Sep 15 12:49:17 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to 2.1.8
Fixed regression in 2.1.7 when parsing classmaps in files containing
invalid Unicode (gh#composer/composer#10102)
- Update to 2.1.7
* Added many type annotations internally, which may have an effect on
CI/static analysis for people using Composer as a dependency. This work will
continue in following releases
* Fixed regression in 2.1.6 when parsing classmaps with empty heredocs
(gh#composer/composer#10067)
* Fixed regression in 2.1.6 where list command was not showing plugin
commands (gh#composer/composer#10075)
* Fixed issue handling package updates where the package type changed
(gh#composer/composer#10076)
* Fixed docker being detected as WSL when run inside WSL
(gh#composer/composer#10094)
- Update to 2.1.6
* Updated internal PHAR signatures to be SHA512 instead of SHA1
* Fixed uncaught exception handler regression (gh#composer/composer#10022)
* Fixed more PHP 8.1 deprecation warnings
(gh#composer/composer#10036, gh#composer/composer#10038,
gh#composer/composer#10061)
* Fixed corrupted zips in the cache from blocking installs until a cache
clear, the bad archives are now deleted automatically on first failure
(gh#composer/composer#10028)
* Fixed URL sanitizer handling of new github tokens (gh#composer/composer#10048)
* Fixed issue finding classes with very long heredocs in classmap
autoload (gh#composer/composer#10050)
* Fixed proc_open being required for simple installs from zip, as well as
diagnose (gh#composer/composer#9253)
* Fixed path repository bug causing symlinks to be left behind after a
package is uninstalled (gh#composer/composer#10023)
* Fixed issue in 7-zip support on windows with certain archives
(gh#composer/composer#10058)
* Fixed bootstrapping process to avoid loading the composer.json and
plugins until necessary, speeding things up slightly (gh#composer/composer#10064)
* Fixed lib-openssl detection on FreeBSD (gh#composer/composer#10046)
* Fixed support for ircs:// protocol for support.irc composer.json entries
-------------------------------------------------------------------
Tue Jul 27 12:55:08 UTC 2021 - Klaus Kämpf <kkaempf@suse.com>
- Require php-curl as Composer strongly recommends this.
-------------------------------------------------------------------
Tue Jul 27 12:46:47 UTC 2021 - Klaus Kämpf <kkaempf@suse.com>
- Update to 2.1.5
Mostly bugfixes. See https://github.com/composer/composer/releases
for details.
-------------------------------------------------------------------
Sun Oct 25 23:13:35 UTC 2020 - Yunhe Guo <i@guoyunhe.me>
- Version 2.0.2
* Fixed regression handling composer show -s in projects where no
version can be guessed from VCS
* Fixed regression handling partial updates/require when a lock
file was missing
* Fixed interop issue with plugins that need to update dist URLs
of packages
- Version 2.0.1
* Fixed crash on PHP8
- Version 2.0.0
* Breaking: This is a major release and while we tried to keep things
compatible for most users, you might want to have a look at the
UPGRADE guides
* Many CPU and memory performance improvements
* The update command is now much more deterministic as it does not
take the already installed packages into account
* Package installation now performs all network operations first
before doing any changes on disk, to reduce the chances of ending
up with a partially updated vendor dir
* Partial updates and require/remove are now much faster as they
only load the metadata required for the updated packages
* Added a platform-check step when vendor/autoload.php gets initialized
which checks the current PHP version/extensions match what is
expected and fails hard otherwise. Can be disabled with the
platform-check config option
* Added a Composer\InstalledVersions class which is autoloaded in
every project and lets you check which packages/versions are
present at runtime
* Added a composer-runtime-api virtual package which you can require
(as e.g. ^2.0) to ensure things like the InstalledVersions class
above are present. It will effectively force people to use Composer
2.x to install your project
* Added support for parallel downloads of package metadata and zip
files, this requires that the curl extension is present and we thus
strongly recommend enabling curl
* Added parallel installation of packages (requires OSX/Linux/WSL,
and that unzip is present in PATH)
* Added much clearer dependency resolution error reporting for common
error cases
* Added support for updating to a specific version with partial
updates, as well as a --with flag to pass in temporary constraint
overrides
* Added automatic removal of packages which are not required anymore
whenever an update is done, this will purge packages previously
left over by partial updates and require/remove
* Added support for TTY mode on Linux/OSX/WSL so that script handlers
now run in interactive mode
* Added only, exclude and canonical options to all repositories, see
repository priorities for details
* Added support for many new lib-* packages in the platform repository
and improved version detection for some ext-* and lib-* packages
* Added pre-operations-exec event to be fired before the packages get
installed/upgraded/removed
* Added pre-pool-create event to be fired before the package pool for
the dependency solver is created, which lets you modify the list
of packages going in
* Added post-file-download event to be fired after package dist files
are downloaded, which lets you do additional checks on the files
* Added --locked flag to show command to see the packages from the
composer.lock file
* Added --unused flag to remove command to make sure any packages
which are not needed anymore get removed
* Added --dry-run flag to require and remove commands
* Added --no-install flag to update, require and remove commands to
disable the install step and only do the update step (composer.lock
file update)
* Added an --ask flag to create-project command to make Composer prompt
for the install dir name, useful for project install instructions
* Added support for multiple --repository flags being passed into
the create-project command, only useful in combination with
--add-repository to persist them to composer.json
* Added --with-dependencies and --with-all-dependencies flag aliases
to require and remove commands for consistency with update
* Added shorthand aliases -w for --with-dependencies and -W for
--with-all-dependencies on update/require/remove commands
* Added more info to vendor/composer/installed.json, a dev key stores
whether dev requirements were installed, and every package now has
an install-path key with its install location
* Added COMPOSER_DISABLE_NETWORK which if set makes Composer do its
best to run offline. This can be useful when you have poor
connectivity or to do benchmarking without network jitter
* Added COMPOSER_DEBUG_EVENTS=1 env var support for plugin authors
to figure out which events are triggered when
* Added setCustomCacheKey to PreFileDownloadEvent and fixed a cache
bug for integrations changing the processed url of package archives
* Added Composer\Util\SyncHelper for plugin authors to deal with
async Promises more easily
* Added $composer->getLoop()->getHttpDownloader() to get access to
the main HttpDownloader instance in plugins
* Added --json and --merge flags to config command to allow editing
complex extra.* values by using json as input
* Added confirmation prompt when running Composer as superuser in
interactive mode
* Added --no-check-version to validate command to remove the warning
in case the version is defined
* Added --ignore-platform-req (without s) to all commands supporting
--ignore-platform-reqs, which accepts a package name so you can
ignore only specific platform requirements
* Added --no-dev support to show and outdated commands to skip dev
requirements
* Added --format=summary flag to license command
* Added a cache-read-only config option to make the cache usable in
read only mode for containers and such
* Added support for wildcards (*) in classmap autoloader paths
* Added support for configuring GitLab deploy tokens in addition to
private tokens, see gitlab-token
* Added support for package version guessing for require and init
command to take all platform packages into account, not just php
version
* Added support for tar in artifact repositories
* Added a non-zero exit code (2) and warning to remove command when
a package to be removed could not be removed
* Added --apcu-autoloader-prefix (or --apcu-prefix for dump-autoload
command) flag to let people use apcu autoloading in a deterministic
output way if that is needed
* Fixed package ordering when autoloading and especially when loading
plugins, to make sure dependencies are loaded before their dependents
* Fixed suggest output being very spammy, it now is only one line
long and shows more rarely
* Fixed conflict rules like e.g. >=5 from matching dev-master, as
it is not normalized to 9999999-dev internally anymore
* Fixed solver bug resulting in endless loops in some cases
* Lots of minor bug fixes and improvements
Reference in New Issue View Git Blame Copy Permalink