Skip to content

Bump composer/composer from 2.0.13 to 2.10.2#533

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer/composer-2.10.2
Open

Bump composer/composer from 2.0.13 to 2.10.2#533
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/composer/composer/composer-2.10.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown

Bumps composer/composer from 2.0.13 to 2.10.2.

Release notes

Sourced from composer/composer's releases.

2.10.2

  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

Full Changelog: composer/composer@2.10.1...2.10.2

2.10.1

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Full Changelog: composer/composer@2.10.0...2.10.1

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.2] 2026-07-01

  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

[2.10.1] 2026-06-04

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

[2.10.0] 2026-05-28

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

  • Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
  • Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
  • Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
  • Enabled blocking of malware packages at install time by default
  • Fixed --no-plugins handling regression (#12789)
  • Fixed regression in startup performance when many scripts are defined (#12832)
  • Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

  • Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)

... (truncated)

Commits
  • 8d4439f Release 2.10.2
  • 79d92f0 Update changelog
  • 8887ad7 Merge commit from fork
  • 502c6c4 Merge commit from fork
  • 145e74d Update deps
  • e42b4f1 Retry downloads failing with HTTP 400 on a fresh connection (#12962)
  • 8c3eba8 Add basic command level telemetry (#12952)
  • c5f92a0 Bump actions/checkout from 6.0.3 to 7.0.0 (#12949)
  • b7c4e39 Sanitize JSON parse errors in Http\Response to avoid leaking response bodies ...
  • 6665153 Add VersionsTest for self update behavior
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [composer/composer](https://github.com/composer/composer) from 2.0.13 to 2.10.2.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.0.13...2.10.2)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.10.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Development

Successfully merging this pull request may close these issues.

0 participants