2.7.1
* Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
* Fixed diagnose auditing of Composer dependencies failing when running from the phar
2.7.0
* Security: Fixed code execution and possible privilege escalation via compromised
vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
* Changed the default of the audit.abandoned config setting to fail, set it to report or
ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
* Added --minimal-changes (-m) flag to update/require/remove commands to perform
partial update with --with-dependencies while changing only what is absolutely
necessary in transitive dependencies (#11665)
* Added --sort-by-age (-A) flag to outdated/show commands to allow
sorting by and displaying the release date (most outdated first) (#11762)
* Added support for --self combined with --installed or --locked in show command, to
add the root package to the package list being output (#11785)
* Added severity information to audit command output (#11702)
* Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
* Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force
IPv4 or IPv6, set it to 4 or 6 (#11791)
* Added support for wildcards in outdated's --ignore arg (#11831)
* Added support for bump command bumping * to >=current version (#11694)
* Added detection of constraints that cannot possibly match anything to validate command (#11829)
* Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
* Added audit of Composer's own bundled dependencies in diagnose command (#11761)
* Added GitHub token expiration date to diagnose command output (#11688)
* Added non-zero status code to why/why-not commands (#11796)
* Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
* Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
* Fixed bump command not bumping packages required with a v prefix (#11764)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=46
- version update to 2.6.4
* 2.6.4 2023-09-29 [bsc#1215859]
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,
executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed json output of abandoned packages in audit command (#11647)
- Performance improvement in pool optimization step (#11638)
- Performance improvement in show -a <packagename> (#11659)
* 2.6.3 2023-09-15
- Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future
default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
- Added a warning when duplicates files autoload rules are detected (#11109)
- Fixed unhandled promise rejection regression (#11620)
- Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
- Fixed archive command not producing the correct output if the temp dir is a symlink (#11636)
- Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629)
* 2.6.2 2023-09-03
- Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them,
they are now more transparent (#11562)" which caused a regression (#11617)
- Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit
audits with require, create-project or update commands (#11616)
- Fixed create-project infinite post-install loop in some circumstances (#11613)
* 2.6.1 2023-09-01
- Reverted "Fixed executability of non-php binaries which are not marked executable (#11557)" which
caused a regression (#11612)
* 2.6.0 2023-09-01
- Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
- Added rm alias to the remove command (#11367)
- Added runtime platform check to verify the php-64bit requirement is met (#11334)
- Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
- Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying
OBS-URL: https://build.opensuse.org/request/show/1114790
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=42
- Update to version 2.5.8
* Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
* Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490)
* Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
* Fixed type declarations on ClassLoader (#11500)
- Update to version 2.5.7
* Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)
- Update to version 2.5.6
* BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
* Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
* Fixed lock file verification on install to deal better with replace/provide (#11475)
* Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
* Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed getmypid being required as it is not always available (#11401)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
OBS-URL: https://build.opensuse.org/request/show/1101051
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=38
* Added warning when `require` auto-selects a feature branch as that is probably not desired (#11270)
* Fixed `self.version` requirements reporting lock file integrity errors when changing branches (#11283)
* Fixed `require` regression which broke the --fixed flag (#11247)
* Fixed security audit reports loading when exclude/only filter rules are used on a repository (#11281)
* Fixed autoloading regression on PHP 5.6 (#11285)
* Fixed archive command including an existing archive into itself if run repeatedly (#11239)
* Fixed dev package prompt in `require` not appearing in some conditions (#11287)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=32
* BC Warning: To prevent abuse of our includeFile() function it is now gone, it was not part of the official API but may still cause issues if some code incorrectly relied on it (#11015)
* Improved version guessing of `require` command to use the dependency resolution result instead of using the latest available version (except if you run with --no-update) (#11160)
* Improved version selection in `archive` command (#11230)
* Added autocompletion of config option names in the `config` command (#11130)
* Added support for writing [custom commands as Command classes](https://getcomposer.org/doc/articles/scripts.md#writing-custom-commands) (#11151)
* Added hard failure when installing from a lock file which does not satisfy the composer.json requirements (#11195)
* Added warning when the outdated command rejects a new package due to unmet platform requirements (#11113)
* Added support for `bump` command to bump `>=x` to `>=installed-version` (#11179)
* Added `--download-only` flag to `install` command to only download and prime the cache with the package archives (#11041)
* Added autoconfiguration of `github-domains`/`gitlab-domains` when GitHub/GitLab credentials are configured for a custom domain (#11062)
* Added hard failure (throw) if COMPOSER_AUTH is present and malformed JSON (#11085)
* Added interactive prompt to `run-script` and `exec` commands if run without any argument (#11157)
* Added interactive prompt where to store credentials when a project-local auth.json exists (#11188)
* Fixed full disk warning to be shown when less than 100MiB is available (#11190)
* Fixed cache keys to allow `_` to avoid conflicts between package names like `a-b` and `a_b` (#11229)
* Fixed docker compatibility by making paths more portable even if the project is installed at `/` (#11169)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=29
* Added extra debug output when a zip extraction fails while on
GitHub Actions (#11148)
* Fixed cache write failures when the cache dir gets removed during
a composer run (#11076)
* Fixed 2.4.3 regression in loading Composer on SMB/network shares
(#11077)
* Fixed --dry-run flag missing from bump command (#11047)
* Fixed status command reporting differences when the source ref is
a tag (#11155)
* Fixed outdated command outputting legend on stdout instead of stderr
* Fixed URL sanitizer to handle new GitHub personal access tokens
format (#11137)
- Update to version 2.4.3
* BC Break: The json format of audit command now has reportedAt as an
RFC3339 string instead of an object which was a mistake (#11120)
* Fixed json format of audit command which was missing affectedVersions
(#11120)
* Fixed plugin commands not being loaded during bash completions
(#11074)
* Fixed parsing of inline aliases within complex constraints with
|| or , (#11086)
* Fixed min-php version check in autoload.php to avoid crashing sites
running on PHP 5.5 or below silently with a 200 (#11091)
* Fixed JsonFile reading files without checking if they are readable
first (#11077)
* Fixed require command with --dry-run failing when requiring a package
requiring stability flag extraction (#11112)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=27
* Fixed bash completion hanging when running as root without
COMPOSER_ALLOW_SUPERUSER set (#11024)
* Fixed handling of plugin activation when running as root without
COMPOSER_ALLOW_SUPERUSER set so it always happens after prompting,
or does not happen if input is non-interactive
* Fixed package filter on bump command (#11053)
* Fixed handling of --ignore-platform-req with upper-bound ignores
to not apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
* Fixed handling of zero-major versions in outdated command with
--major-only (#11032)
* Fixed show --platform regression since 2.4.0 when running in a
directory without composer.json (#11046)
* Fixed a few strict type errors
- Update to version 2.4.1
* Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit
flag in CI (#10998)
* Fixed show command showing packages in two sections, this was only
meant for the outdated command (#11000)
* Fixed local git repos being copied to cache unnecessarily (#11001)
* Fixed git cache invalidation issue when a git tag gets created after
the cache has loaded a given reference (#11004)
- Update to version 2.4.0
* Added bash completions for Composer commands, package names, etc
(see how to setup) (#10320)
* Added bump command to bump requirements to the currently installed
version (#10829)
* Added audit command to check for known security vulnerabilities in
installed packages (#10798, #10898)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=25
* Fixed plugins from CWD/vendor being loaded in some cases like
create-project or validate even though the target directory is
outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo)
plugins which will not warn/error anymore if not in allow-plugins,
as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins
into account (#10925)
* Fixed support for disable_functions containing disk_free_space
(#10936)
* Fixed RootPackageRepository usages to always clone the root package
to avoid interoperability issues with plugins (#10940)
- Update to version 2.3.9
* Fixed non-interactive behavior of allow-plugins to throw instead
of continue with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2
can be installed with only a warning but plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
* Fixed type errors (#10924)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=23
* Fixed a few PHPStan ConfigReturnTypeExtension bugs
* Fixed Config default for auth configs to be empty arrays instead
of null, fixes issues with diagnose command (#10814)
* Fixed handling of broken symlinks when checking whether a package
is still installed (#6708)
* Fixed bin proxies to allow a proxy to include another one safely
(#10823)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=19
* Added Composer\PHPStan\ConfigReturnTypeExtension to improve return
types of Config::get() which you can also use in plugins CI (#10635)
* Fixed name validation regex in schema causing issues with JS IDEs
like VS Code (#10811)
* Fixed unnecessary HTTP request in BitbucketDriver (#10729)
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation
is disabled
* Fixed race condition when multiple requests asking for auth on the
same hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function
(#10786)
* Fixed various type errors (#10753, #10739, #10751)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=17
* Added --2.2 flag to `self-update` to pin the Composer version to
the 2.2 LTS range (#10682)
* Added missing config.bitbucket-oauth in composer-schema.json
* Fixed type errors in SvnDriver (#10681)
* Fixed --version output to match the pre-2.3 one (#10684)
* Fixed config/auth.json files not being validated against the
composer-schema.json (#10685)
* Fixed generation of autoload crashing if a package has a broken
path (#10688)
* Fixed GitDriver state issue when reusing old cache dirs and the
default branch was renamed (#10687)
* Updated semver, jsonlint deps for minor fixes
* Removed dev-master=>dev-main alias from #10372 as it does not
work when reloading from lock file and extracting dev deps (#10651)
- Update to version 2.3.2
* Fixed type error when running `exec` command (#10672)
* Fixed endless loop in plugin activation prompt when input is not
fully interactive yet appears to be (#10648)
* Fixed type error in ComposerRepository (#10675)
* Fixed issues loading platform packages where the version of a
library cannot be established (#10631)
- Update to version 2.3.1
* Fixed type error when HOME env var is not set (#10670)
- Update to version 2.3.0
* Fixed many strict types errors (#10646, #10642, #10647, #10658,
#10656, #10665, #10660, #10663, #10662)
* Fixed invalid return value in ComposerRepository::findPackage
(#10622)
* Fixed many `show` command issues due to a flipped condition
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=13
- Update to version 2.2.7
* Fixed support for packages with no licenses in licenses
command output
* Fixed handling of allow-plugins: false which kept warning
* Fixed enum parsing in classmap generation when the enum keyword
is not lowercased
* Fixed author parsing in init command requiring an email whereas
the schema allows a name only
* Fixed issues in require command when requiring packages which
do not exist (but are provided by something else you require)
* Performance improvement in pool optimization step
OBS-URL: https://build.opensuse.org/request/show/957604
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=12
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for
binaries added in Composer 2.2.2 had to be renamed to
COMPOSER_RUNTIME_BIN_DIR (#10512)
* Fixed enum parsing in classmap generation with syntax like enum
foo:string without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd
events (#10514)
* Fixed edge case in path repositories where a symlink: true option
would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console
releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
- Update to version 2.2.5
* Disabled composer/package-versions-deprecated by default as it
can function using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present
in the directory (#10406)
* Fixed binary proxy issue on PHP <8 when fseek is used on the
proxied binary path (#10468)
* Fixed handling of non-string versions in package repositories
metadata (#10470)
- Update to version 2.2.4
* Fixed handling of process timeout when running async processes
during installation
* Fixed GitLab API handling when projects have a repository
disabled (#10440)
* Fixed reading of environment variables (e.g. APPDATA) containing
unicode characters to workaround a PHP bug on Windows (#10434)
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=11
- version update to 2.2.3
2.2.3 2021-12-31
* Fixed issue with PHPUnit and process isolation now including PHPUnit
<6.5 (#10387)
* Fixed interoperability issue with laminas/laminas-zendframework-bridge
and Composer 2.2 (#10401)
* Fixed binary proxies for shell scripts to work correctly when they are
symlinked (jakzal/phpqa#336)
* Fixed overly greedy pool optimization in cases where a locked package
is not required by anything anymore in a partial update (#10405)
2.2.2 2021-12-29
* Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing
the path to the bin-dir for binaries. Packages relying on finding the
bin dir with $BASH_SOURCES[0] will need to update their binaries (#10402)
* Fixed issue when new binary proxies are combined with PHPUnit and process
isolation (#10387)
* Fixed deprecation warnings when using Symfony 5.4+ and requiring
composer/composer itself (#10404)
* Fixed UX of plugin warnings (#10381)
2.2.1 2021-12-22
* Fixed plugin autoloading including files autoload rules from the root
package (#10382)
* Fixed issue parsing php files with unterminated comments found inside
backticks (#10385)
2.2.0 2021-12-22
* Added support for using dev-main as the default path repo package
version if no VCS info is available (#10372)
* Added --no-scripts as a globally supported flag to all Composer commands
to disable scripts execution (#10371)
* Fixed self-update failing in some edge cases due to loading plugins
OBS-URL: https://build.opensuse.org/request/show/944504
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=8
- Obsoletes php-composer (version 1.x)
- Update to 2.1.12
* Fixed issues in proxied binary files relying on __FILE__ / __DIR__
on php <8 (#10261)
* Fixed 9999999-dev being shown in some cases by the show command (#10260)
* Fixed GitHub Actions output escaping regression on PHP 8.1 (#10250)
- Update to 2.1.11
* Fixed issues in proxied binary files when using declare() on php <8 (#10249)
* Fixed GitHub Actions output escaping issues (#10243)
- Update to 2.1.10
* Added type annotations to all classes, which may have an effect on
CI/static analysis for people using Composer as a dependency (#10159)
* Fixed CurlDownloader requesting gzip encoding even when no gzip
support is present (#10153)
* Fixed regression in 2.1.6 where the help command was not working for
plugin commands (#10147)
* Fixed warning showing when an invalid cache dir is configured but
unused (#10125)
* Fixed require command reverting changes even though dependency
resolution succeeded when something fails in scripts for example (#10118)
* Fixed require not finding the right package version when some newly
required extension is missing from the system (#10167)
* Fixed proxied binary file issues, now using output buffering (e1dbd65)
* Fixed and improved error reporting in several edge cases (#9804,
#10136, #10163, #10224, #10209)
* Fixed some more Windows CLI parameter escaping edge cases
- Update to 2.1.9
* Security: Fixed command injection vulnerability on Windows
(GHSA-frqg-7g38-6gcf / CVE-2021-41116)
* Fixed classmap parsing with a new class parser which does not rely
on regexes anymore (#10107)
* Fixed inline git credentials showing up in output in some conditions
(#10115)
* Fixed support for running updates while offline as long as the
cache contains enough information (#10116)
* Fixed show --all foo/bar which as of 2.0.0 was not showing all
versions anymore but only the installed one (#10095)
* Fixed VCS repos ignoring some versions silently when the API rate
limit is reached (#10132)
* Fixed CA bundle to remove the expired Let's Encrypt root CA
OBS-URL: https://build.opensuse.org/request/show/930658
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=6
- Update to 2.1.8
Fixed regression in 2.1.7 when parsing classmaps in files containing
invalid Unicode (gh#composer/composer#10102)
- Update to 2.1.7
* Added many type annotations internally, which may have an effect on
CI/static analysis for people using Composer as a dependency. This work will
continue in following releases
* Fixed regression in 2.1.6 when parsing classmaps with empty heredocs
(gh#composer/composer#10067)
* Fixed regression in 2.1.6 where list command was not showing plugin
commands (gh#composer/composer#10075)
* Fixed issue handling package updates where the package type changed
(gh#composer/composer#10076)
* Fixed docker being detected as WSL when run inside WSL
(gh#composer/composer#10094)
- Update to 2.1.6
* Updated internal PHAR signatures to be SHA512 instead of SHA1
* Fixed uncaught exception handler regression (gh#composer/composer#10022)
* Fixed more PHP 8.1 deprecation warnings
(gh#composer/composer#10036, gh#composer/composer#10038,
gh#composer/composer#10061)
* Fixed corrupted zips in the cache from blocking installs until a cache
clear, the bad archives are now deleted automatically on first failure
(gh#composer/composer#10028)
* Fixed URL sanitizer handling of new github tokens (gh#composer/composer#10048)
* Fixed issue finding classes with very long heredocs in classmap
autoload (gh#composer/composer#10050)
* Fixed proc_open being required for simple installs from zip, as well as
diagnose (gh#composer/composer#9253)
* Fixed path repository bug causing symlinks to be left behind after a
package is uninstalled (gh#composer/composer#10023)
* Fixed issue in 7-zip support on windows with certain archives
(gh#composer/composer#10058)
* Fixed bootstrapping process to avoid loading the composer.json and
plugins until necessary, speeding things up slightly (gh#composer/composer#10064)
* Fixed lib-openssl detection on FreeBSD (gh#composer/composer#10046)
* Fixed support for ircs:// protocol for support.irc composer.json entries
OBS-URL: https://build.opensuse.org/request/show/919162
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/php-composer2?expand=0&rev=3
