Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed

This PR contains the following updates:

Package	Type	Update	Change
composer/composer (source)	require-dev	patch	`^2.2.0` -> `^2.2.12`

GitHub Vulnerability Alerts

CVE-2022-24828

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json readme field as a vector for injecting parameters into the $file argument for the Mercurial driver or via the $identifier argument for the Git and Mercurial drivers.

Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.

To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

Release Notes

composer/composer

### [`v2.2.12`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#2212-2022-04-13) [Compare Source](https://togithub.com/composer/composer/compare/2.2.11...2.2.12) - Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828) - Fixed curl downloader not retrying when a DNS resolution failure occurs ([#10716](https://togithub.com/composer/composer/issues/10716)) - Fixed composer.lock file still being used/read when the `lock` config option is disabled ([#10726](https://togithub.com/composer/composer/issues/10726)) - Fixed `validate` command checking the lock file even if the `lock` option is disabled ([#10723](https://togithub.com/composer/composer/issues/10723)) ### [`v2.2.11`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#2211-2022-04-01) [Compare Source](https://togithub.com/composer/composer/compare/2.2.10...2.2.11) - Added missing config.bitbucket-oauth in composer-schema.json - Added --2.2 flag to `self-update` to pin the Composer version to the 2.2 LTS range ([#10682](https://togithub.com/composer/composer/issues/10682)) - Updated semver, jsonlint deps for minor fixes - Fixed generation of autoload crashing if a package has a broken path ([#10688](https://togithub.com/composer/composer/issues/10688)) - Removed dev-master=>dev-main alias from [#10372](https://togithub.com/composer/composer/issues/10372) as it does not work when reloading from lock file and extracting dev deps ([#10651](https://togithub.com/composer/composer/issues/10651)) ### [`v2.2.10`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#2210-2022-03-29) [Compare Source](https://togithub.com/composer/composer/compare/2.2.9...2.2.10) - Fixed Bitbucket authorization detection due to API changes ([#10657](https://togithub.com/composer/composer/issues/10657)) - Fixed validate command warning about dist/source keys if defined ([#10655](https://togithub.com/composer/composer/issues/10655)) - Fixed deletion/handling of corrupted 0-bytes zip archives ([#10666](https://togithub.com/composer/composer/issues/10666)) ### [`v2.2.9`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#229-2022-03-15) [Compare Source](https://togithub.com/composer/composer/compare/2.2.8...2.2.9) - Fixed regression with plugins that modify install path of packages, [see docs](https://getcomposer.org/doc/articles/plugins.md#plugin-modifies-install-path) if you are authoring such a plugin ([#10621](https://togithub.com/composer/composer/issues/10621)) ### [`v2.2.8`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#228-2022-03-15) [Compare Source](https://togithub.com/composer/composer/compare/2.2.7...2.2.8) - Fixed `files` autoloading sort order to be fully deterministic ([#10617](https://togithub.com/composer/composer/issues/10617)) - Fixed pool optimization pass edge cases ([#10579](https://togithub.com/composer/composer/issues/10579)) - Fixed `require` command failing when `self.version` is used as constraint ([#10593](https://togithub.com/composer/composer/issues/10593)) - Fixed --no-ansi / undecorated output still showing color in repo warnings ([#10601](https://togithub.com/composer/composer/issues/10601)) - Performance improvement in pool optimization step ([composer/semver#131](https://togithub.com/composer/semver/issues/131)) ### [`v2.2.7`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#227-2022-02-25) [Compare Source](https://togithub.com/composer/composer/compare/2.2.6...2.2.7) - Allow installation together with composer/xdebug-handler ^3 ([#10528](https://togithub.com/composer/composer/issues/10528)) - Fixed support for packages with no licenses in `licenses` command output ([#10537](https://togithub.com/composer/composer/issues/10537)) - Fixed handling of `allow-plugins: false` which kept warning ([#10530](https://togithub.com/composer/composer/issues/10530)) - Fixed enum parsing in classmap generation when the enum keyword is not lowercased ([#10521](https://togithub.com/composer/composer/issues/10521)) - Fixed author parsing in `init` command requiring an email whereas the schema allows a name only ([#10538](https://togithub.com/composer/composer/issues/10538)) - Fixed issues in `require` command when requiring packages which do not exist (but are provided by something else you require) ([#10541](https://togithub.com/composer/composer/issues/10541)) - Performance improvement in pool optimization step ([#10546](https://togithub.com/composer/composer/issues/10546)) ### [`v2.2.6`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#226-2022-02-04) [Compare Source](https://togithub.com/composer/composer/compare/2.2.5...2.2.6) - BC Break: due to an oversight, the `COMPOSER_BIN_DIR` env var for binaries added in Composer 2.2.2 had to be renamed to `COMPOSER_RUNTIME_BIN_DIR` ([#10512](https://togithub.com/composer/composer/issues/10512)) - Fixed enum parsing in classmap generation with syntax like `enum foo:string` without space after `:` ([#10498](https://togithub.com/composer/composer/issues/10498)) - Fixed package search not urlencoding the input ([#10500](https://togithub.com/composer/composer/issues/10500)) - Fixed `reinstall` command not firing `pre-install-cmd`/`post-install-cmd` events ([#10514](https://togithub.com/composer/composer/issues/10514)) - Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos ([#10482](https://togithub.com/composer/composer/issues/10482)) - Fixed test suite compatibility with latest symfony/console releases ([#10499](https://togithub.com/composer/composer/issues/10499)) - Fixed some error reporting edge cases ([#10484](https://togithub.com/composer/composer/issues/10484), [#10451](https://togithub.com/composer/composer/issues/10451), [#10493](https://togithub.com/composer/composer/issues/10493)) ### [`v2.2.5`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#225-2022-01-21) [Compare Source](https://togithub.com/composer/composer/compare/2.2.4...2.2.5) - Disabled `composer/package-versions-deprecated` by default as it can function using `Composer\InstalledVersions` at runtime ([#10458](https://togithub.com/composer/composer/issues/10458)) - Fixed artifact repositories crashing if a phar file was present in the directory ([#10406](https://togithub.com/composer/composer/issues/10406)) - Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path ([#10468](https://togithub.com/composer/composer/issues/10468)) - Fixed handling of non-string versions in package repositories metadata ([#10470](https://togithub.com/composer/composer/issues/10470)) ### [`v2.2.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#224-2022-01-08) [Compare Source](https://togithub.com/composer/composer/compare/2.2.3...2.2.4) - Fixed handling of process timeout when running async processes during installation - Fixed GitLab API handling when projects have a repository disabled ([#10440](https://togithub.com/composer/composer/issues/10440)) - Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows ([#10434](https://togithub.com/composer/composer/issues/10434)) - Fixed partial update issues with path repos missing if a path repo is required by a path repo ([#10431](https://togithub.com/composer/composer/issues/10431)) - Fixed support for sourcing binaries via the new bin proxies ([#10389](https://togithub.com/composer/composer/issues/10389#issuecomment-1007372740)) - Fixed messaging when GitHub tokens need SSO authorization ([#10432](https://togithub.com/composer/composer/issues/10432)) ### [`v2.2.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#223-2021-12-31) [Compare Source](https://togithub.com/composer/composer/compare/2.2.2...2.2.3) - Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 ([#10387](https://togithub.com/composer/composer/issues/10387)) - Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 ([#10401](https://togithub.com/composer/composer/issues/10401)) - Fixed binary proxies for shell scripts to work correctly when they are symlinked ([jakzal/phpqa#336](https://togithub.com/jakzal/phpqa/issues/336)) - Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update ([#10405](https://togithub.com/composer/composer/issues/10405)) ### [`v2.2.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#222-2021-12-29) [Compare Source](https://togithub.com/composer/composer/compare/2.2.1...2.2.2) - Added [`COMPOSER_BIN_DIR` env var and `_composer_bin_dir` global](https://getcomposer.org/doc/articles/vendor-binaries.md#finding-the-composer-bin-dir-from-a-binary) containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with `$BASH_SOURCES[0]` will need to update their binaries ([#10402](https://togithub.com/composer/composer/issues/10402)) - Fixed issue when new binary proxies are combined with PHPUnit and process isolation ([#10387](https://togithub.com/composer/composer/issues/10387)) - Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself ([#10404](https://togithub.com/composer/composer/issues/10404)) - Fixed UX of plugin warnings ([#10381](https://togithub.com/composer/composer/issues/10381)) ### [`v2.2.1`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#2217-2022-07-13) [Compare Source](https://togithub.com/composer/composer/compare/2.2.0...2.2.1) - Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD ([#10935](https://togithub.com/composer/composer/issues/10935)) - Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded ([#10928](https://togithub.com/composer/composer/issues/10928)) - Fixed pre-install check for allowed plugins not taking --no-plugins into account ([#10925](https://togithub.com/composer/composer/issues/10925)) - Fixed support for disable_functions containing disk_free_space ([#10936](https://togithub.com/composer/composer/issues/10936)) - Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins ([#10940](https://togithub.com/composer/composer/issues/10940))

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[x] If you want to rebase/retry this PR, check this box

Read more about the use of Renovate Bot within ocramius/* projects.

Ocramius / PackageVersions