* Fixed null call of Command::setDescription in some cases (#12605)
* Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)
- version update to 2.9.0
* Bumped composer-plugin-api to 2.9.0
* Added automatic blocking of packages with security advisories from updates (#11956)
* Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
* Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
* Added audit > ignore-abandoned config setting to ignore some packages (#12572)
* Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
* Added repository command to add, remove, or update repositories more easily (#12388)
* Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
* Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
* Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
* Added support for forgejo / codeberg.org repositories (#12307)
* Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
* Added support for HTTP/3 if libcurl supports it (#12363)
* Added support for custom header authentication (#12372)
* Added support for client TLS certificates (#12406)
* Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
* Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
* Added support for running init without interaction (#12546)
* Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
* Added support for Windows Sudo to elevate during self-update (#12543)
* Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
* Fixed display of dist refs for dev versions when source is missing (#12562)
* Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
* Fixed compatibility issues with Symfony 7
* Fixed issues with PHP preloading being hard to debug (#12528)
- version update to 2.9.0rc1
* Bumped composer-plugin-api to 2.9.0
* Added automatic blocking of packages with security advisories from updates (#11956)
* Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
* Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
* Added audit > ignore-abandoned config setting to ignore some packages (#12572)
* Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
* Added repository command to add, remove, or update repositories more easily (#12388)
* Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
* Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
* Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
* Added support for forgejo / codeberg.org repositories (#12307)
* Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
* Added support for HTTP/3 if libcurl supports it (#12363)
* Added support for custom header authentication (#12372)
* Added support for client TLS certificates (#12406)
* Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
* Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
* Added support for running init without interaction (#12546)
* Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
* Added support for Windows Sudo to elevate during self-update (#12543)
* Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
* Fixed display of dist refs for dev versions when source is missing (#12562)
* Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
* Fixed compatibility issues with Symfony 7
* Fixed issues with PHP preloading being hard to debug (#12528)
Thu Apr 17 08:07:49 UTC 2025 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 2.8.8
- Fixed json schema issues with version validation
- Fixed issues running on 32bit machines
- Update to version 2.8.7
- Added COMPOSER_MAX_PARALLEL_PROCESS env var to control max amount of parallel processes Composer will start
- Added zstd/brotli presence in diagnose command output
- Fixed error handler to avoid spamming deprecation notices
- Fixed InstalledVersions returning duplicate data at Composer runtime
- Fixed handling of --with ... constraints to make them apply to packages replaced a package with a different name
- Fixed deprecation warnings showing up in IDE code inspections within the vendor dir
- Fixed a few json schema completeness issues
- Fixed issue autoloading files with a .phar inside the path
- Update to version 2.8.6
- Added COMPOSER_WITH_DEPENDENCIES and COMPOSER_WITH_ALL_DEPENDENCIES env vars to enable the --with[-all]-dependencies flags
- Added COMPOSER_SKIP_SCRIPTS env var to tell Composer to skip certain script handlers by script names (comma separated)
- Fixed handling of backslash in folder names when creating archives
- Fixed detection of containerd for containers to avoid warning about root usage
- Update to version 2.8.5
- Fixed InstalledVersions regression from 2.8.4 when reload() is used
- Fixed psr-0/psr-4 rules having unstable order in vendor/composer/autoload*.php
- Fixed a few warnings happening incorrectly in edge cases
- Update to version 2.8.4
- Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both)
- Fixed issue on plugin upgrade when it defines multiple classes
- Fixed duplicate errors appearing in the output depending on php settings
- Fixed InstalledVersions returning duplicate data in some instances
- Fixed installed.php sorting to be deterministic
- Fixed bump-after-update failing when using inline constraints
- Fixed create-project command to now disable symlinking when used with a path repo as argument
- Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant
- Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway
- Fixed curl usage to disable multiplexing on broken versions when proxies are in use
- Update to version 2.8.3
- Fixed react/promise requirement to allow 2.x installs again
- Fixed some issues when lock:false is set in require and bump commands
- Update to version 2.8.2
- Fixed crash while suggesting providers if they have no description
- Fixed issues creating lock files violating the schema in some circumstances
- Fixed create-project regression in 2.8.1 when using path repos with relative paths
- Fixed ctrl-C aborts not working inside text prompts
- Fixed git failing silently when git cannot read a repo due to ownership violations
- Fixed handling of signals in non-PHP binaries run via proxies
- Update to version 2.8.1
- Fixed init command regression when no license is provided
- Fixed --strict-ambiguous flag handling whereas it sometimes did not report all issues
- Fixed create-project to inherit the target folder's permissions for installed project files
- Fixed a few cases where the prompt for using a parent dir's composer.json fails to work correctly
- Update to version 2.8.0
- BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes
- Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer
- Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting
- Added --ignore-severity flag to the audit command to ignore one or more advisory severities
- Added --bump-after-update flag to the update command to run bump after the update is done
- Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs
- Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies
- Added a JSON schema for the composer.lock file
- Added better support for Bitbucket app passwords when cloning repos / installing from source
- Added --type flag to filter packages by type(s) in the reinstall command
- Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found
- Added warning in dump-autoload when vendor files have been deleted
- Added warnings for each missing platform package when running create-project to avoid having to run it again and again
- Added sorting of packages in allow-plugins when sort-packages is enabled
- Added suggestion of provider packages / polyfills when an ext or lib package is missing
- Improved interactive package update selection by first outputting all packages and their possible updates
- Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way
- Fixed PHP 8.4 deprecation warnings about E_STRICT
- Fixed init command to validate the given license identifier
- Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches
- Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0
- Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs
- Fixed php://stdin potentially being open several times when running Composer programmatically
- Fixed handling of platform packages in why-not command and partial updates
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
Fixed perforce argument escaping (3773f775)
Fixed handling of zip bombs when extracting archives (de5f7e32)
Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)
2.7.6 2024-05-04
Fixed regression when script handlers add an autoloader which uses a private callback (#11960)
2.7.5 2024-05-03
Added uninstall alias to remove command (#11951)
Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
Fixed root usage warnings showing up within Podman containers (#11946)
Fixed config command not handling objects correctly in some conditions (#11945)
Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)
2.7.4 2024-04-22
Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)
2.7.3 2024-04-19
BC Warning: Fixed https_proxy env var falling back to http_proxy's value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#11915)
Fixed show and outdated commands to remove leading v in e.g. v1.2.3 when showing lists of packages (#11925)
Fixed audit command not showing any id when no CVE is present, the advisory ID is now shown (#11892)
Fixed the warning about a missing default version showing for packages with project type as those are typically not versioned and do not have cyclic dependencies (#11885)
Fixed PHP 8.4 deprecation warnings
Fixed clear-cache command to respect the config.cache-dir setting from the local composer.json (#11921)
Fixed status command not handling failed download/install promises correctly (#11889)
Added support for buy_me_a_coffee in GitHub funding files (#11902)
Added hg support for SSH urls (#11878)
Fixed some env vars with an integer value causing a crash (#11908)
Fixed context data not being output when using IOInterface as a PSR-3 logger (#11882)
2.7.2 2024-03-11
Added info about the PHP version when running composer --version (#11866)
Added warning when the root version cannot be detected (#11858)
Fixed plugins still being enabled in a few contexts when running as root (c3efff91f)
Fixed outdated --ignore ... still attempting to load the latest version of the ignored packages (#11863)
Fixed handling of broken symlinks in the middle of an install path (#11864)
Fixed update --lock still incorrectly updating some metadata (#11850, #11787)
2.7.1 2024-02-09
Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
Fixed diagnose auditing of Composer dependencies failing when running from the phar
Thu Jul 27 10:13:04 UTC 2023 - Ish Sookun <ish@hacklog.in>
- Update to version 2.5.8
* Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
* Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490)
* Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
* Fixed type declarations on ClassLoader (#11500)
- Update to version 2.5.7
* Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)
- Update to version 2.5.6
* BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
* Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
* Fixed lock file verification on install to deal better with replace/provide (#11475)
* Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
* Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed getmypid being required as it is not always available (#11401)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
Wed Dec 21 12:31:32 UTC 2022 - Yunhe Guo <i@guoyunhe.me>
- Update to version 2.5.0
* BC Warning: To prevent abuse of our includeFile() function it is now gone, it was not part of the official API but may still cause issues if some code incorrectly relied on it (#11015)
* Improved version guessing of `require` command to use the dependency resolution result instead of using the latest available version (except if you run with --no-update) (#11160)
* Improved version selection in `archive` command (#11230)
* Added autocompletion of config option names in the `config` command (#11130)
* Added support for writing [custom commands as Command classes](https://getcomposer.org/doc/articles/scripts.md#writing-custom-commands) (#11151)
* Added hard failure when installing from a lock file which does not satisfy the composer.json requirements (#11195)
* Added warning when the outdated command rejects a new package due to unmet platform requirements (#11113)
* Added support for `bump` command to bump `>=x` to `>=installed-version` (#11179)
* Added `--download-only` flag to `install` command to only download and prime the cache with the package archives (#11041)
* Added autoconfiguration of `github-domains`/`gitlab-domains` when GitHub/GitLab credentials are configured for a custom domain (#11062)
* Added hard failure (throw) if COMPOSER_AUTH is present and malformed JSON (#11085)
* Added interactive prompt to `run-script` and `exec` commands if run without any argument (#11157)
* Added interactive prompt where to store credentials when a project-local auth.json exists (#11188)
* Fixed full disk warning to be shown when less than 100MiB is available (#11190)
* Fixed cache keys to allow `_` to avoid conflicts between package names like `a-b` and `a_b` (#11229)
* Fixed docker compatibility by making paths more portable even if the project is installed at `/` (#11169)
