Skip to content

Bump composer/composer from 2.0.13 to 2.10.1#532

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer/composer-2.10.1
Closed

Bump composer/composer from 2.0.13 to 2.10.1#532
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer/composer-2.10.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown

Bumps composer/composer from 2.0.13 to 2.10.1.

Release notes

Sourced from composer/composer's releases.

2.10.1

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Full Changelog: composer/composer@2.10.0...2.10.1

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

Full Changelog: composer/composer@2.9.8...2.10.0

2.10.0-RC2

Composer 2.10 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

  • Running composer self-update --preview will get you the 2.10.0-RC2
  • Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke.
  • Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details.

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.1] 2026-06-04

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

[2.10.0] 2026-05-28

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

  • Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
  • Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
  • Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
  • Enabled blocking of malware packages at install time by default
  • Fixed --no-plugins handling regression (#12789)
  • Fixed regression in startup performance when many scripts are defined (#12832)
  • Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

  • Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)

[2.9.8] 2026-05-13

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [composer/composer](https://github.com/composer/composer) from 2.0.13 to 2.10.1.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.0.13...2.10.1)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.10.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jun 4, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Author

Superseded by #533.

@dependabot dependabot Bot closed this Jul 1, 2026
@dependabot dependabot Bot deleted the dependabot/composer/composer/composer-2.10.1 branch July 1, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Development

Successfully merging this pull request may close these issues.

0 participants