Releases: composer/composer
Releases · composer/composer
2.6.4
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed json output of abandoned packages in audit command (#11647)
- Fixed autoloader suffix to reuse the content-hash from lock file if available to make for more reproducible builds by default (#11663)
- Performance improvement in pool optimization step (#11638)
- Performance improvement in
show -a <packagename>
(#11659)
2.2.22
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
- Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
- Fixed handling of broken junctions on windows (#11550)
- Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
- Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
- Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
- Fixed support for plugin classes being marked as readonly (#11404)
- Fixed GitHub rate limit reporting (#11366)
- Fixed issue displaying solver problems with branch names containing
%
signs (#11359)
1.10.27
! Reminder: if you are still using Composer 1.x, please upgrade. See https://blog.packagist.com/deprecating-composer-1-support/
Changelog:
- Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
2.6.3
- Added audit.abandoned config setting. Can be set to
ignore
,report
(current default) orfail
(future default in 2.7) to make the audit command report abandoned packages as a security problem (#11639) - Added a warning when duplicates
files
autoload rules are detected (#11109) - Fixed unhandled promise rejection regression (#11620)
- Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
- Fixed
archive
command not producing the correct output if the temp dir is a symlink (#11636) - Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629)
2.6.2
- Reverted "Fixed binary proxies causing scripts inspecting
$_SERVER['SCRIPT_NAME']
to detect them, they are now more transparent (#11562)" which caused a regression (#11617) - Fixed non-zero exit code on failed audits to only apply to
install --audit
runs and not implicit audits withrequire
,create-project
orupdate
commands (#11616) - Fixed
create-project
infinite post-install loop in some circumstances (#11613)
2.6.1
2.6.0
- Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
- Added
rm
alias to theremove
command (#11367) - Added runtime platform check to verify the php-64bit requirement is met (#11334)
- Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
- Added
--dry-run
todump-autoload
command to allow running --strict-psr checks without modifying the filesystem (#11608) - Added support for
bump
ing patch level in~1.2.3
constraints (#11590) - Added prompt in
require
if the package name is not found but similar ones exist (#11284) - Added support for env vars and
~
in repository paths for vcs and artifact repositories (#11453) - Added support for local directory paths for repositories of type
composer
(#11526) - Added links to package homepages in
why
/why-not
command output (#11308) - Added a
security
key to thesupport
key of composer.json to set the URL to the vulnerability disclosure policy (#11271) - Added support for gathering security advisories from multiple repositories for a single package (#11436)
- Bumped the
composer-plugin-api
version to2.6.0
- Fixed
install
exit code to be non-zero (5) if a requested security audit failed (#11362) Fixed binary proxies causing scripts inspecting(Reverted in 2.6.2)$_SERVER['SCRIPT_NAME']
to detect them, they are now more transparent (#11562)Fixed executability of non-php binaries which are not marked executable (#11557)(Reverted in 2.6.1)- Fixed
mtime
modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen (#11593) - Fixed
create-project
using the wrong composer.json file if one was set via theCOMPOSER
env var (#11493) - Fixed json editing to preserve indentation when updating json files (#11390)
- Fixed handling of broken junctions on windows (#11550)
- Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
- Fixed svn repo parsing in some edge cases (#11350)
- Fixed handling of archive URLs without file extension (#11520)
- Performance improvement in pool optimization step (#11449, #11450)
2.5.8
- Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
- Fixed EventDispatcher on windows picking bat files when using
@php binary
(#11490) - Fixed ICU CDLR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
- Fixed type declarations on ClassLoader (#11500)
2.5.7
2.5.6
- BC Warning: Installers and
InstallationManager::getInstallPath
will now returnnull
instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455) - Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
- Fixed lock file verification on
install
to deal better withreplace
/provide
(#11475) - Fixed lock file having a more recent modification time than the vendor dir when
require
guesses the constraint after resolution (#11405) - Fixed numeric default branches with a
v
prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755) - Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
- Fixed support for plugin classes being marked as
readonly
(#11404) - Fixed
getmypid
being required as it is not always available (#11401) - Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)