Accepting request 1324197 from server:php:applications

version update to 2.9.2

OBS-URL: https://build.opensuse.org/request/show/1324197
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/php-composer2?expand=0&rev=32

composer.phar

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8e8829ec2b97fcb05158236984bc252bef902e7b8ff65555a1eeda4ec13fb82b
-size 3125568
+oid sha256:471f2d857abf0ec18af7b055e61472214d91adb24f9bdbbb864c1c64faad7dd6
+size 3281618

php-composer2.changes

@@ -1,3 +1,90 @@
+-------------------------------------------------------------------
+Mon Dec 22 13:40:32 UTC 2025 - Petr Gajdos <pgajdos@suse.com>
+
+- version update to 2.9.2
+  * Added new --no-security-blocking flag to disable/configure security blocking (#12617)
+  * Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
+  * Fixed config command not being able to set the new audit settings (#12609)
+  * Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
+  * Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)
+- version update to 2.9.1
+  * Fixed regression in phpunit binary proxies (#12601)
+  * Fixed script handler autoloading issues (#12606)
+  * Fixed null call of Command::setDescription in some cases (#12605)
+  * Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)
+- version update to 2.9.0
+  * Bumped composer-plugin-api to 2.9.0
+  * Added automatic blocking of packages with security advisories from updates (#11956)
+  * Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
+  * Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
+  * Added audit > ignore-abandoned config setting to ignore some packages (#12572)
+  * Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
+  * Added repository command to add, remove, or update repositories more easily (#12388)
+  * Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
+  * Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
+  * Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
+  * Added support for forgejo / codeberg.org repositories (#12307)
+  * Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
+  * Added support for HTTP/3 if libcurl supports it (#12363)
+  * Added support for custom header authentication (#12372)
+  * Added support for client TLS certificates (#12406)
+  * Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
+  * Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
+  * Added support for running init without interaction (#12546)
+  * Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
+  * Added support for Windows Sudo to elevate during self-update (#12543)
+  * Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
+  * Fixed display of dist refs for dev versions when source is missing (#12562)
+  * Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
+  * Fixed compatibility issues with Symfony 7
+  * Fixed issues with PHP preloading being hard to debug (#12528)
+- version update to 2.9.0rc1
+  * Bumped composer-plugin-api to 2.9.0
+  * Added automatic blocking of packages with security advisories from updates (#11956)
+  * Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
+  * Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
+  * Added audit > ignore-abandoned config setting to ignore some packages (#12572)
+  * Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
+  * Added repository command to add, remove, or update repositories more easily (#12388)
+  * Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
+  * Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
+  * Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
+  * Added support for forgejo / codeberg.org repositories (#12307)
+  * Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
+  * Added support for HTTP/3 if libcurl supports it (#12363)
+  * Added support for custom header authentication (#12372)
+  * Added support for client TLS certificates (#12406)
+  * Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
+  * Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
+  * Added support for running init without interaction (#12546)
+  * Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
+  * Added support for Windows Sudo to elevate during self-update (#12543)
+  * Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
+  * Fixed display of dist refs for dev versions when source is missing (#12562)
+  * Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
+  * Fixed compatibility issues with Symfony 7
+  * Fixed issues with PHP preloading being hard to debug (#12528)
+
+-------------------------------------------------------------------
+Mon Oct  6 19:20:01 UTC 2025 - Ferdinand Thiessen <rpm@fthiessen.de>
+
+- version update to 2.8.12
+  * Fixed json schema issues with version validation
+  * Fixed support for Bitbucket API tokens
+  * Fixed handling of spaces in paths when using binaries
+  * Fixed config --global path resolution issue
+  * Reduced peak memory usage while loading packages
+  * Dropped react/promise 2.x support
+- version update to 2.8.11
+  * Fixed bump command handling
+  * Fixed psr-4 warnings being shown when using symlinked directories
+  * Fixed audit command failing hard if any advisory constraint was invalid 
+- version update to 2.8.10
+  * Fixed plugins appearing loaded despite not being loaded yet
+  * Fixed forward compatibility with Symfony 7.4
+  * Fixed deprecation warning on PHP 8.4 when platform check fails
+  * Fixed json schema issues with version validation
+
 -------------------------------------------------------------------
 Wed Jul  2 10:49:10 UTC 2025 - pgajdos@suse.com
 

php-composer2.spec

@@ -2,6 +2,7 @@
 # spec file for package php-composer2
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +18,7 @@
 
 
 Name:           php-composer2
-Version:        2.8.9
+Version:        2.9.2
 Release:        0
 Summary:        Dependency Management for PHP
 License:        MIT