v2.6.4

Compare Source

• Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed json output of abandoned packages in audit command (#​11647)
  • Performance improvement in pool optimization step (#​11638)
  • Performance improvement in show -a <packagename> (#​11659)

v2.6.3

Compare Source

• Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future default in 2.7) to make the audit command report abandoned packages as a security problem (#​11639)
  • Added a warning when duplicates files autoload rules are detected (#​11109)
  • Fixed unhandled promise rejection regression (#​11620)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#​11632)
  • Fixed archive command not producing the correct output if the temp dir is a symlink (#​11636)
  • Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#​11629)

v2.6.2

Compare Source

• Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them, they are now more transparent (#​11562)" which caused a regression (#​11617)
  • Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit audits with require, create-project or update commands (#​11616)
  • Fixed create-project infinite post-install loop in some circumstances (#​11613)

v2.6.1

Compare Source

• Reverted "Fixed executability of non-php binaries which are not marked executable (#​11557)" which caused a regression (#​11612)

v2.6.0

Compare Source

• Added audit.ignore config setting to ignore security advisories by id or CVE id (#​11556, #​11605)
  • Added rm alias to the remove command (#​11367)
  • Added runtime platform check to verify the php-64bit requirement is met (#​11334)
  • Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#​11418)
  • Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying the filesystem (#​11608)
  • Added support for bumping patch level in ~1.2.3 constraints (#​11590)
  • Added prompt in require if the package name is not found but similar ones exist (#​11284)
  • Added support for env vars and ~ in repository paths for vcs and artifact repositories (#​11453)
  • Added support for local directory paths for repositories of type composer (#​11526)
  • Added links to package homepages in why/why-not command output (#​11308)
  • Added a security key to the support key of composer.json to set the URL to the vulnerability disclosure policy (#​11271)
  • Added support for gathering security advisories from multiple repositories for a single package (#​11436)
  • Fixed install exit code to be non-zero (5) if a requested security audit failed (#​11362)
  • ~~Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them, they are now more transparent (#​11562)~~ (Reverted in 2.6.2)
  • ~~Fixed executability of non-php binaries which are not marked executable (#​11557)~~ (Reverted in 2.6.1)
  • Fixed mtime modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen (#​11593)
  • Fixed create-project using the wrong composer.json file if one was set via the COMPOSER env var (#​11493)
  • Fixed json editing to preserve indentation when updating json files (#​11390)
  • Fixed handling of broken junctions on windows (#​11550)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#​11534)
  • Fixed svn repo parsing in some edge cases (#​11350)
  • Fixed handling of archive URLs without file extension (#​11520)
  • Performance improvement in pool optimization step (#​11449, #​11450)

v2.5.8

Compare Source

• Fixed regression in edge cases where root package gets added to a repository already during the install process (#​11495)
  • Fixed EventDispatcher on windows picking bat files when using "@​php binary" (#​11490)
  • Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#​11492)
  • Fixed type declarations on ClassLoader (#​11500)

v2.5.7

Compare Source

• Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#​11481)

v2.5.6

Compare Source

• BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#​11455)
  • Fixed metapackages showing their install path as the root package's path instead of empty (#​11455)
  • Fixed lock file verification on install to deal better with replace/provide (#​11475)
  • Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#​11405)
  • Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#​11454)
  • Fixed support for plugin classes being marked as readonly (#​11404)
  • Fixed getmypid being required as it is not always available (#​11401)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#​11464)

v2.5.5

Compare Source

• Fixed basic auth failures resulting in infinite retry loop (#​11320)
  • Fixed GitHub rate limit reporting (#​11366)
  • Fixed InstalledVersions error in Composer 1 compatibility edge case (#​11304)
  • Fixed issue displaying solver problems with branch names containing % signs (#​11359)
  • Fixed race condition in cache validity detection when running Composer highly concurrently (#​11375)
  • Fixed various minor config command issues (#​11353, #​11302)

v2.5.4

Compare Source

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#​11318)

v2.5.3

Compare Source

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#​11315)

v2.5.2

Compare Source

• Added warning when require auto-selects a feature branch as that is probably not desired (#​11270)
  • Fixed self.version requirements reporting lock file integrity errors when changing branches (#​11283)
  • Fixed require regression which broke the --fixed flag (#​11247)
  • Fixed security audit reports loading when exclude/only filter rules are used on a repository (#​11281)
  • Fixed autoloading regression on PHP 5.6 (#​11285)
  • Fixed archive command including an existing archive into itself if run repeatedly (#​11239)
  • Fixed dev package prompt in require not appearing in some conditions (#​11287)