- version update to 2.7.7
  2.7.7 2024-06-10
    Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
    Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
    Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
    Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
    Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
    Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
    Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
    Fixed perforce argument escaping (3773f775)
    Fixed handling of zip bombs when extracting archives (de5f7e32)
    Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
    Fixed ability for config command to remove autoload keys (#11967)
    Fixed empty type support in init command (#11999)
    Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
    Fixed regression showing network errors on PHP <8.1 (#11974)
    Fixed some color bleed from a few warnings (#11972)
  2.7.6 2024-05-04
    Fixed regression when script handlers add an autoloader which uses a private callback (#11960)
  2.7.5 2024-05-03
    Added uninstall alias to remove command (#11951)
    Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
    Fixed root usage warnings showing up within Podman containers (#11946)
    Fixed config command not handling objects correctly in some conditions (#11945)
    Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
    Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
    Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)
  2.7.4 2024-04-22
    Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)
  2.7.3 2024-04-19

• Files Changed
• Browse Source

- Updated composer2.phar to match upstreams sha256 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0 (forwarded request 1148935 from comrad)

• Files Changed
• Browse Source

- version update to 2.7.1 [bsc#1219757] CVE-2024-24821
  2.7.1
  * Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
  *  Fixed diagnose auditing of Composer dependencies failing when running from the phar
  2.7.0
  * Security: Fixed code execution and possible privilege escalation via compromised
    vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
  * Changed the default of the audit.abandoned config setting to fail, set it to report or
    ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
  * Added --minimal-changes (-m) flag to update/require/remove commands to perform
    partial update with --with-dependencies while changing only what is absolutely
    necessary in transitive dependencies (#11665)
  * Added --sort-by-age (-A) flag to outdated/show commands to allow
     sorting by and displaying the release date (most outdated first) (#11762)
  * Added support for --self combined with --installed or --locked in show command, to
    add the root package to the package list being output (#11785)
  * Added severity information to audit command output (#11702)
  * Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
  * Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force
    IPv4 or IPv6, set it to 4 or 6 (#11791)
  * Added support for wildcards in outdated's --ignore arg (#11831)
  * Added support for bump command bumping * to >=current version (#11694)
  * Added detection of constraints that cannot possibly match anything to validate command (#11829)
  * Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
  * Added audit of Composer's own bundled dependencies in diagnose command (#11761)
  * Added GitHub token expiration date to diagnose command output (#11688)
  * Added non-zero status code to why/why-not commands (#11796)
  * Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
  * Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
  * Fixed bump command not bumping packages required with a v prefix (#11764)

• Files Changed
• Browse Source

Updates php-composer to version 2.6.5. (forwarded request 1117487 from Ishwon)

• Files Changed
• Browse Source

- version update to 2.6.4
  * 2.6.4 2023-09-29 [bsc#1215859]
    - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,
      executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
    - Fixed json output of abandoned packages in audit command (#11647)
    - Performance improvement in pool optimization step (#11638)
    - Performance improvement in show -a <packagename> (#11659)
  * 2.6.3 2023-09-15
    - Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future
      default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
    - Added a warning when duplicates files autoload rules are detected (#11109)
    - Fixed unhandled promise rejection regression (#11620)
    - Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
    - Fixed archive command not producing the correct output if the temp dir is a symlink (#11636)
    - Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629)
  * 2.6.2 2023-09-03
    - Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them,
      they are now more transparent (#11562)" which caused a regression (#11617)
    - Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit
      audits with require, create-project or update commands (#11616)
    - Fixed create-project infinite post-install loop in some circumstances (#11613)
  * 2.6.1 2023-09-01
    - Reverted "Fixed executability of non-php binaries which are not marked executable (#11557)" which
      caused a regression (#11612)
  * 2.6.0 2023-09-01
    - Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
    - Added rm alias to the remove command (#11367)
    - Added runtime platform check to verify the php-64bit requirement is met (#11334)
    - Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
    - Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying (forwarded request 1114790 from pgajdos)

• Files Changed
• Browse Source

  * [bsc#1198494]

• Files Changed
• Browse Source

- Update to version 2.5.8
  * Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
  * Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490)
  * Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
  * Fixed type declarations on ClassLoader (#11500)
- Update to version 2.5.7
  * Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)
- Update to version 2.5.6
  * BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
  * Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
  * Fixed lock file verification on install to deal better with replace/provide (#11475)
  * Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
  * Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
  * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
  * Fixed support for plugin classes being marked as readonly (#11404)
  * Fixed getmypid being required as it is not always available (#11401)
  * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464) (forwarded request 1101051 from Ishwon)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.4.4
  * Added extra debug output when a zip extraction fails while on
    GitHub Actions (#11148)
  * Fixed cache write failures when the cache dir gets removed during
    a composer run (#11076)
  * Fixed 2.4.3 regression in loading Composer on SMB/network shares
    (#11077)
  * Fixed --dry-run flag missing from bump command (#11047)
  * Fixed status command reporting differences when the source ref is
    a tag (#11155)
  * Fixed outdated command outputting legend on stdout instead of stderr
  * Fixed URL sanitizer to handle new GitHub personal access tokens
    format (#11137)
- Update to version 2.4.3
  * BC Break: The json format of audit command now has reportedAt as an
    RFC3339 string instead of an object which was a mistake (#11120)
  * Fixed json format of audit command which was missing affectedVersions
    (#11120)
  * Fixed plugin commands not being loaded during bash completions
    (#11074)
  * Fixed parsing of inline aliases within complex constraints with
    || or , (#11086)
  * Fixed min-php version check in autoload.php to avoid crashing sites
    running on PHP 5.5 or below silently with a 200 (#11091)
  * Fixed JsonFile reading files without checking if they are readable
    first (#11077)
  * Fixed require command with --dry-run failing when requiring a package
    requiring stability flag extraction (#11112)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.3.8
  * Fixed support for cache-read-only where the filesystem is not writable (#10906)
  * Fixed type error when using allow-plugins: true (#10909)
  * Fixed @putenv scripts receiving arguments passed to the command (#10846)
  * Fixed support for spaces in paths with binary proxies on Windows (#10836)
  * Fixed type error in GitDownloader if branches cannot be listed (#10888)
  * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
  * Fixed type errors (#10904, #10897)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.3.6
  * Added Composer\PHPStan\ConfigReturnTypeExtension to improve return
    types of Config::get() which you can also use in plugins CI (#10635)
  * Fixed name validation regex in schema causing issues with JS IDEs
    like VS Code (#10811)
  * Fixed unnecessary HTTP request in BitbucketDriver (#10729)
  * Fixed invalid credentials loop when setting up GitLab token (#10748)
  * Fixed PHP 8.2 deprecations (#10766)
  * Fixed lock file changes being output even when the lock file creation
    is disabled
  * Fixed race condition when multiple requests asking for auth on the
    same hostname fired concurrently (#10763)
  * Fixed quoting of commas on Windows (#10775)
  * Fixed issue installing path repos with a disabled symlink function
    (#10786)
  * Fixed various type errors (#10753, #10739, #10751)

• Files Changed
• Browse Source

Update to version 2.3.5 for CVE-2022-24828 (forwarded request 975231 from susnux)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.2.7
  * Fixed support for packages with no licenses in licenses
    command output
  * Fixed handling of allow-plugins: false which kept warning
  * Fixed enum parsing in classmap generation when the enum keyword
    is not lowercased
  * Fixed author parsing in init command requiring an email whereas
    the schema allows a name only
  * Fixed issues in require command when requiring packages which
    do not exist (but are provided by something else you require)
  * Performance improvement in pool optimization step (forwarded request 957604 from susnux)

• Files Changed
• Browse Source