Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency composer/composer to v2.8.4 #5719

Open
wants to merge 1 commit into
base: staging
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 8, 2024

This PR contains the following updates:

Package Update Change
composer/composer minor 2.6.6 -> 2.8.4

Release Notes

composer/composer (composer/composer)

v2.8.4

Compare Source

  • Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both) (#​12203)
    • Fixed issue on plugin upgrade when it defines multiple classes (#​12226)
    • Fixed duplicate errors appearing in the output depending on php settings (#​12214)
    • Fixed InstalledVersions returning duplicate data in some instances (#​12225)
    • Fixed installed.php sorting to be deterministic (#​12197)
    • Fixed bump-after-update failing when using inline constraints (#​12223)
    • Fixed create-project command to now disable symlinking when used with a path repo as argument (#​12222)
    • Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant (#​12196)
    • Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway (#​12196)
    • Fixed curl usage to disable multiplexing on broken versions when proxies are in use (#​12207)

v2.8.3

Compare Source

  • Fixed windows handling of process discovery (#​12180)
    • Fixed react/promise requirement to allow 2.x installs again (#​12188)
    • Fixed some issues when lock:false is set in require and bump commands

v2.8.2

Compare Source

  • Fixed crash while suggesting providers if they have no description (#​12152)
    • Fixed issues creating lock files violating the schema in some circumstances (#​12149)
    • Fixed create-project regression in 2.8.1 when using path repos with relative paths (#​12150)
    • Fixed ctrl-C aborts not working inside text prompts (#​12106)
    • Fixed git failing silently when git cannot read a repo due to ownership violations (#​12178)
    • Fixed handling of signals in non-PHP binaries run via proxies (#​12176)

v2.8.1

Compare Source

  • Fixed init command regression when no license is provided (#​12145)
    • Fixed --strict-ambiguous flag handling whereas it sometimes did not report all issues (#​12148)
    • Fixed create-project to inherit the target folder's permissions for installed project files (#​12146)
    • Fixed a few cases where the prompt for using a parent dir's composer.json fails to work correctly (#​8023)

v2.8.0

Compare Source

  • BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes (#​11938, #​11915)
    • Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer (#​12122)
    • Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting (#​12091)
    • Added --ignore-severity flag to the audit command to ignore one or more advisory severities (#​12132)
    • Added --bump-after-update flag to the update command to run bump after the update is done (#​11942)
    • Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs (#​12086)
    • Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies (#​11966)
    • Added a JSON schema for the composer.lock file (#​12123)
    • Added better support for Bitbucket app passwords when cloning repos / installing from source (#​12103)
    • Added --type flag to filter packages by type(s) in the reinstall command (#​12114)
    • Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found (#​12119)
    • Added warning in dump-autoload when vendor files have been deleted (#​12139)
    • Added warnings for each missing platform package when running create-project to avoid having to run it again and again (#​12120)
    • Added sorting of packages in allow-plugins when sort-packages is enabled (#​11348)
    • Added suggestion of provider packages / polyfills when an ext or lib package is missing (#​12113)
    • Improved interactive package update selection by first outputting all packages and their possible updates (#​11990)
    • Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way (#​12111)
    • Fixed PHP 8.4 deprecation warnings about E_STRICT (#​12116)
    • Fixed init command to validate the given license identifier (#​12115)
    • Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches (#​12129)
    • Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0 (#​12109)
    • Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs (#​12112)
    • Fixed php://stdin potentially being open several times when running Composer programmatically (#​12107)
    • Fixed handling of platform packages in why-not command and partial updates (#​12110)
    • Reverted "Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#​12019)" from 2.7.8 as it was broken

v2.7.9

Compare Source

  • Fixed Docker detection breaking on constrained environments (#​12095)
    • Fixed upstream issue in bash completion script, it is recommended to update it using the completion command (#​12015)

v2.7.8

Compare Source

  • Added release-age, release-date and latest-release-date in the JSON output of outdated (#​12053)
    • Fixed PHP 8.4 deprecation warnings
    • Fixed addressability of branches containing # signs (#​12042)
    • Fixed bump command not handling some ~ constraints correctly (#​12038)
    • Fixed COMPOSER_AUTH not taking precedence over ./auth.json (#​12084)
    • Fixed relative: true sometimes not being respected in path repo symlinks (#​12092)
    • Fixed copy from cache sometimes failing on VirtualBox shared folders (#​12057)
    • Fixed PSR-4 autoloading order regression in some edge case (#​12063)
    • Fixed duplicate lib-* packages causing issues when having pecl + core versions of the same PHP extension (#​12093)
    • Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#​12019)
    • Fixed memory issues when installing large binaries (#​12032)
    • Fixed archive command crashing when a path cannot be realpath'd on windows (#​11544)
    • API: Deprecated BasePackage::$stabilities in favor of BasePackage::STABILITIES (685add7)
    • Improved Docker detection (#​12062)

v2.7.7

Compare Source

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
    • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
    • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
    • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
    • Security: Fixed perforce argument escaping (3773f77)
    • Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
    • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a74, 04a63b3)
    • Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#​11957)
    • Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#​12000)
    • Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#​12001)
    • Fixed ability for config command to remove autoload keys (#​11967)
    • Fixed empty type support in init command (#​11999)
    • Fixed git clone errors when safe.bareRepository is set to strict in the git config (#​11969)
    • Fixed regression showing network errors on PHP <8.1 (#​11974)
    • Fixed some color bleed from a few warnings (#​11972)

v2.7.6

Compare Source

  • Fixed regression when script handlers add an autoloader which uses a private callback (#​11960)

v2.7.5

Compare Source

  • Added uninstall alias to remove command (#​11951)
    • Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#​11913)
    • Fixed root usage warnings showing up within Podman containers (#​11946)
    • Fixed config command not handling objects correctly in some conditions (#​11945)
    • Fixed binary proxies not containing the correct path if the project dir is a symlink (#​11947)
    • Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#​11955)
    • Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#​11954)

v2.7.4

Compare Source

  • Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#​11943, #​11940)

v2.7.3

Compare Source

  • BC Warning: Fixed https_proxy env var falling back to http_proxy's value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#​11915)
    • Fixed show and outdated commands to remove leading v in e.g. v1.2.3 when showing lists of packages (#​11925)
    • Fixed audit command not showing any id when no CVE is present, the advisory ID is now shown (#​11892)
    • Fixed the warning about a missing default version showing for packages with project type as those are typically not versioned and do not have cyclic dependencies (#​11885)
    • Fixed PHP 8.4 deprecation warnings
    • Fixed clear-cache command to respect the config.cache-dir setting from the local composer.json (#​11921)
    • Fixed status command not handling failed download/install promises correctly (#​11889)
    • Added support for buy_me_a_coffee in GitHub funding files (#​11902)
    • Added hg support for SSH urls (#​11878)
    • Fixed some env vars with an integer value causing a crash (#​11908)
    • Fixed context data not being output when using IOInterface as a PSR-3 logger (#​11882)

v2.7.2

Compare Source

  • Added info about the PHP version when running composer --version (#​11866)
    • Added warning when the root version cannot be detected (#​11858)
    • Fixed plugins still being enabled in a few contexts when running as root (c3efff9)
    • Fixed outdated --ignore ... still attempting to load the latest version of the ignored packages (#​11863)
    • Fixed handling of broken symlinks in the middle of an install path (#​11864)
    • Fixed update --lock still incorrectly updating some metadata (#​11850, #​11787)

v2.7.1

Compare Source

  • Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#​11842)
    • Fixed diagnose auditing of Composer dependencies failing when running from the phar

v2.7.0

Compare Source

  • Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
    • Changed the default of the audit.abandoned config setting to fail, set it to report or ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#​11643)
    • Added --minimal-changes (-m) flag to update/require/remove commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#​11665)
    • Added --sort-by-age (-A) flag to outdated/show commands to allow sorting by and displaying the release date (most outdated first) (#​11762)
    • Added support for --self combined with --installed or --locked in show command, to add the root package to the package list being output (#​11785)
    • Added severity information to audit command output (#​11702)
    • Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#​11666)
    • Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force IPv4 or IPv6, set it to 4 or 6 (#​11791)
    • Added support for wildcards in outdated's --ignore arg (#​11831)
    • Added support for bump command bumping * to >=current version (#​11694)
    • Added detection of constraints that cannot possibly match anything to validate command (#​11829)
    • Added package source information to the output of install when running in very verbose (-vv) mode (#​11763)
    • Added audit of Composer's own bundled dependencies in diagnose command (#​11761)
    • Added GitHub token expiration date to diagnose command output (#​11688)
    • Added non-zero status code to why/why-not commands (#​11796)
    • Added error when calling show --direct <package> with an indirect/transitive dependency (#​11728)
    • Added COMPOSER_FUND=0 env var to hide calls for funding (#​11779)
    • Fixed bump command not bumping packages required with a v prefix (#​11764)
    • Fixed automatic disabling of plugins when running non-interactive as root
    • Fixed update --lock not keeping the dist reference/url/checksum pinned (#​11787)
    • Fixed require command crashing at the end if no lock file is present (#​11814)
    • Fixed root aliases causing problems when auditing locked dependencies (#​11771)
    • Fixed handling of versions with 4 components in require command (#​11716)
    • Fixed compatibility issues with Symfony 7
    • Fixed composer.json remaining behind after a --dry-run of the require command (#​11747)
    • Fixed warnings being shown incorrectly under some circumstances (#​11786, #​11760, #​11803)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Feb 8, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.0 chore(deps): update dependency composer/composer to v2.7.1 Feb 9, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 2f8af62 to ca29225 Compare February 9, 2024 15:04
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.1 chore(deps): update dependency composer/composer to v2.7.2 Mar 11, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from ca29225 to 5a0bd43 Compare March 11, 2024 20:20
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.2 Update dependency composer/composer to v2.7.2 Apr 4, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 5a0bd43 to 83cc37e Compare April 20, 2024 02:34
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.2 Update dependency composer/composer to v2.7.3 Apr 20, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.3 chore(deps): update dependency composer/composer to v2.7.3 Apr 20, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.3 chore(deps): update dependency composer/composer to v2.7.4 Apr 22, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 83cc37e to 210f5f7 Compare April 22, 2024 20:30
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.4 Update dependency composer/composer to v2.7.4 Apr 30, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 210f5f7 to 961bc28 Compare May 3, 2024 17:05
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.4 Update dependency composer/composer to v2.7.5 May 3, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.5 chore(deps): update dependency composer/composer to v2.7.5 May 3, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.5 chore(deps): update dependency composer/composer to v2.7.6 May 4, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 961bc28 to 251d0ee Compare May 4, 2024 23:11
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.6 Update dependency composer/composer to v2.7.6 May 7, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.6 chore(deps): update dependency composer/composer to v2.7.6 May 22, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.6 Update dependency composer/composer to v2.7.6 Jun 5, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.7.6 chore(deps): update dependency composer/composer to v2.7.6 Jun 5, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 251d0ee to b34b23a Compare June 10, 2024 22:19
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.6 chore(deps): update dependency composer/composer to v2.7.7 Jun 10, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from b34b23a to 2e9f2db Compare August 22, 2024 14:13
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.7 chore(deps): update dependency composer/composer to v2.7.8 Aug 22, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 2e9f2db to afe5125 Compare September 4, 2024 15:03
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.8 chore(deps): update dependency composer/composer to v2.7.9 Sep 4, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.7.9 chore(deps): update dependency composer/composer to v2.8.0 Oct 2, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from afe5125 to 9d23110 Compare October 2, 2024 16:21
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.0 chore(deps): update dependency composer/composer to v2.8.1 Oct 4, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 9d23110 to 20a897f Compare October 4, 2024 10:12
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.1 chore(deps): update dependency composer/composer to v2.8.2 Oct 29, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 20a897f to 1d72ba9 Compare October 29, 2024 18:15
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from 1d72ba9 to 43aaca2 Compare November 15, 2024 15:12
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch 2 times, most recently from 3b3f970 to c06cf70 Compare November 17, 2024 13:38
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.2 chore(deps): update dependency composer/composer to v2.8.3 Nov 17, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.3 Update dependency composer/composer to v2.8.3 Dec 1, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.8.3 chore(deps): update dependency composer/composer to v2.8.3 Dec 1, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.3 Update dependency composer/composer to v2.8.3 Dec 2, 2024
@renovate renovate bot changed the title Update dependency composer/composer to v2.8.3 chore(deps): update dependency composer/composer to v2.8.3 Dec 4, 2024
@renovate renovate bot changed the title chore(deps): update dependency composer/composer to v2.8.3 chore(deps): update dependency composer/composer to v2.8.4 Dec 11, 2024
@renovate renovate bot force-pushed the renovate/composer-composer-2.x branch from c06cf70 to 0dc41ee Compare December 11, 2024 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant