All Versions
Latest Version
Avg Release Cycle
12 days
Latest Release
37 days ago

Changelog History
Page 1

  • v2.4.1 Changes

    August 20, 2022
    • Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit flag in CI (#10998)
    • Fixed show command showing packages in two sections, this was only meant for the outdated command (#11000)
    • Fixed local git repos being copied to cache unnecessarily (#11001)
    • Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)
  • v2.4.0 Changes

    August 16, 2022
    • Added json format output to the new audit command (#10965)
    • Added json format output to the check-platform-reqs command (#10979)
    • Added GitLab 15+ token refresh support (#10988)
    • Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
    • Fixed various bash completion issues
  • v2.4.0-RC1 Changes

    July 21, 2022
    • Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
    • Added bump command to bump requirements to the currently installed version (#10829)
    • Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
    • Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
    • Added --audit to install command to also do an audit (#10798, #10898)
    • Added r alias to require command (#10953)
    • Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
    • Added --locked to depends/prohibits commands (#10834)
    • Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
    • Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
    • Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
    • Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
    • Added sections for direct and transitive deps in outdated command output (#10779)
    • Added ability for cache GC to clean up vcs and repo caches (#10826)
    • Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
    • Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
    • Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
    • Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
  • v2.3.10 Changes

    July 13, 2022
    • Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
    • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
    • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
    • Fixed support for disable_functions containing disk_free_space (#10936)
    • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
  • v2.3.9 Changes

    July 05, 2022
    • Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
    • Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
    • Fixed deprecation notice (#10921)
    • Fixed type errors (#10924)
  • v2.3.8 Changes

    July 01, 2022
    • Fixed support for cache-read-only where the filesystem is not writable (#10906)
    • Fixed type error when using allow-plugins: true (#10909)
    • Fixed @putenv scripts receiving arguments passed to the command (#10846)
    • Fixed support for spaces in paths with binary proxies on Windows (#10836)
    • Fixed type error in GitDownloader if branches cannot be listed (#10888)
    • Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
    • Fixed type errors (#10904, #10897)
  • v2.3.7 Changes

    June 06, 2022
    • Fixed a few PHPStan ConfigReturnTypeExtension bugs
    • Fixed Config default for auth configs to be empty arrays instead of null, fixes issues with diagnose command (#10814)
    • Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
    • Fixed bin proxies to allow a proxy to include another one safely (#10823)
    • Fixed openssl 3.x version parsing as it is now semver compliant
    • Fixed type error when a json file cannot be read (#10818)
    • Fixed parsing of multi-line arrays in funding.yml (#10784)
  • v2.3.6 Changes

    June 01, 2022
    • Added Composer\PHPStan\ConfigReturnTypeExtension to improve return types of Config::get() which you can also use in plugins CI (#10635)
    • Fixed name validation regex in schema causing issues with JS IDEs like VS Code (#10811)
    • Fixed unnecessary HTTP request in BitbucketDriver (#10729)
    • Fixed invalid credentials loop when setting up GitLab token (#10748)
    • Fixed PHP 8.2 deprecations (#10766)
    • Fixed lock file changes being output even when the lock file creation is disabled
    • Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)
    • Fixed quoting of commas on Windows (#10775)
    • Fixed issue installing path repos with a disabled symlink function (#10786)
    • Fixed various type errors (#10753, #10739, #10751)
  • v2.3.5 Changes

    April 13, 2022
    • Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
    • Added warning when downloading a file with verify_peer[_name] disabled (#10722)
    • Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
    • Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
    • Fixed validate command checking the lock file even if the lock option is disabled (#10723)
    • Fixed detection of default branch name when it changed since a git repo was mirrored in cache dir (#10701)
  • v2.3.4 Changes

    April 07, 2022
    • Fixed the generated autoload.php to support running on PHP 5.6+ (down from 7.0+) and warn clearly on older PHP versions (#10714)
    • Fixed run-script --list flag regression (#10710)
    • Fixed curl downloader handling of DNS resolution failures to do an automatic retry (#10716)
    • Fixed script handling of external commands not setting the Path env correctly on windows (#10700)
    • Fixed various type errors (#10694, #10696, #10702, #10712, #10703)