2.9.0-RC1

Composer 2.9 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.9.0-RC1
• Running composer self-update --stable will get you back on the latest 2.8 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.9 RC and please include stack traces & repro details.

Full Changelog

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)
• Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
• Added repository command to add, remove, or update repositories more easily (#12388)
• Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
• Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
• Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
• Added support for forgejo / codeberg.org repositories (#12307)
• Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
• Added support for HTTP/3 if libcurl supports it (#12363)
• Added support for custom header authentication (#12372)
• Added support for client TLS certificates (#12406)
• Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
• Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
• Added support for running init without interaction (#12546)
• Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
• Added support for Windows Sudo to elevate during self-update (#12543)
• Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
• Fixed display of dist refs for dev versions when source is missing (#12562)
• Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
• Fixed compatibility issues with Symfony 7
• Fixed issues with PHP preloading being hard to debug (#12528)

Full Changelog: 2.8.12...2.9.0-RC1

2.8.12

• Fixed json schema issues with version validation (#12512)
• Fixed PHP 8.5 deprecation warnings (#12513)
• Fixed support for Bitbucket API tokens (#12515)
• Fixed handling of spaces in paths when using binaries (#12524)
• Fixed config --global path resolution issue (#12537)
• Reduced peak memory usage while loading packages (#12516)
• Dropped react/promise 2.x support

Full Changelog: 2.8.11...2.8.12

2.8.11

• Fixed PHP 8.5 deprecation warnings (#12504, #12493, #12505)
• Fixed bump command handling of 0.x versions (#12468)
• Fixed psr-4 warnings being shown in some cases when using symlinked directories (#12480)
• Fixed audit command failing hard if any advisory constraint was invalid (#12507)

Full Changelog: 2.8.10...2.8.11

2.8.10

• Fixed plugins appearing loaded despite not being loaded yet in some edge cases (#12442)
• Fixed forward compatibility with Symfony 7.4 (#12445)
• Fixed deprecation warning on PHP 8.4 when platform check fails (#12453)
• Fixed support for new planner role in GitLab (#12426)
• Fixed Bitbucket regression introduced in 2.8.0 (#12462)
• Fixed json schema issues with version validation (#12438)
• Fixed git prompt breaking some systems (#12437)
• Fixed warning on PHP 8.5 when curl is not loaded (#12472)

Full Changelog: 2.8.9...2.8.10

2.8.9

• Fixed json schema issues with version validation (#12376)
• Fixed bump-after-update triggering after an update --lock, which makes no sense (#12371)
• Fixed zip bomb false positives when unpacking using ZipArchive (#12409)
• Fixed creation of empty archives (#12408)
• Removed output of script being run when running via composer <script-name> (#12383)

Full Changelog: 2.8.8...2.8.9

2.8.8

• Fixed json schema issues with version validation (#12367)
• Fixed issues running on 32bit machines (#12365)

Full Changelog: 2.8.7...2.8.8

2.8.7

• Bumped justinrainbow/json-schema dependency to 6.x (#12348)
• Added COMPOSER_MAX_PARALLEL_PROCESS env var to control max amount of parallel processes Composer will start (#12356)
• Added zstd/brotli presence in diagnose command output
• Fixed error handler to avoid spamming deprecation notices (#12360)
• Fixed InstalledVersions returning duplicate data at Composer runtime (#12225)
• Fixed handling of --with ... constraints to make them apply to packages replaced a package with a different name (#12353)
• Fixed deprecation warnings showing up in IDE code inspections within the vendor dir (#12331)
• Fixed a few json schema completeness issues (#12332, #12321)
• Fixed issue autoloading files with a .phar inside the path (#12326)

Full Changelog: 2.8.6...2.8.7

2.8.6

• Added COMPOSER_WITH_DEPENDENCIES and COMPOSER_WITH_ALL_DEPENDENCIES env vars to enable the --with[-all]-dependencies flags (#12289)
• Added COMPOSER_SKIP_SCRIPTS env var to tell Composer to skip certain script handlers by script names (comma separated) (#12290)
• Added error hint when Avast is detected together with curl certificate errors (#9894)
• Fixed handling of backslash in folder names when creating archives (#12327)
• Fixed detection of containerd for containers to avoid warning about root usage (#12299)

2.8.5

• Added build provenance attestation so you can also now download and verify phar files from GitHub releases:

  gh release --repo composer/composer download --pattern composer.phar
  gh attestation verify --repo composer/composer composer.phar
  

• Fixed unsupported funding values causing parse errors in packages (#12247)

• Fixed support for a few newer funding formats (#12257)

• Fixed InstalledVersions regression from 2.8.4 when reload() is used (#12269)

• Fixed psr-0/psr-4 rules having unstable order in vendor/composer/autoload*.php (#12263)

• Fixed a few warnings happening incorrectly in edge cases (#12284, #12268, #12283)

Full Changelog: 2.8.4...2.8.5

2.8.4

• Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both) (#12203)
• Fixed issue on plugin upgrade when it defines multiple classes (#12226)
• Fixed duplicate errors appearing in the output depending on php settings (#12214)
• Fixed InstalledVersions returning duplicate data in some instances (#12225)
• Fixed installed.php sorting to be deterministic (#12197)
• Fixed bump-after-update failing when using inline constraints (#12223)
• Fixed create-project command to now disable symlinking when used with a path repo as argument (#12222)
• Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant (#12196)
• Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway (#12196)
• Fixed curl usage to disable multiplexing on broken versions when proxies are in use (#12207)

Full Changelog: 2.8.3...2.8.4