search

Roave / BackwardCompatibilityCheck

:ab: Tool to compare two revisions of a class API to check for BC breaks
MIT License
568 stars 59 forks source link

Update dependency composer/composer to ^2.6.4 [SECURITY] - autoclosed #749

Closed renovate[bot] closed 6 months ago

renovate[bot] commented 9 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
composer/composer (source) ^2.5.1 -> ^2.6.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-43655

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Release Notes

composer/composer (composer/composer) ### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29) [Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4) - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655) - Fixed json output of abandoned packages in audit command ([#​11647](https://togithub.com/composer/composer/issues/11647)) - Performance improvement in pool optimization step ([#​11638](https://togithub.com/composer/composer/issues/11638)) - Performance improvement in `show -a ` ([#​11659](https://togithub.com/composer/composer/issues/11659)) ### [`v2.6.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#263-2023-09-15) [Compare Source](https://togithub.com/composer/composer/compare/2.6.2...2.6.3) - Added audit.abandoned config setting. Can be set to `ignore`, `report` (current default) or `fail` (future default in 2.7) to make the audit command report abandoned packages as a security problem ([#​11639](https://togithub.com/composer/composer/issues/11639)) - Added a warning when duplicates `files` autoload rules are detected ([#​11109](https://togithub.com/composer/composer/issues/11109)) - Fixed unhandled promise rejection regression ([#​11620](https://togithub.com/composer/composer/issues/11620)) - Fixed loading of root aliases on path repo packages when doing partial updates ([#​11632](https://togithub.com/composer/composer/issues/11632)) - Fixed `archive` command not producing the correct output if the temp dir is a symlink ([#​11636](https://togithub.com/composer/composer/issues/11636)) - Fixed some replaced packages being incorrectly missing when unlocked in a partial update ([#​11629](https://togithub.com/composer/composer/issues/11629)) ### [`v2.6.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#262-2023-09-03) [Compare Source](https://togithub.com/composer/composer/compare/2.6.1...2.6.2) - Reverted "Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#​11562](https://togithub.com/composer/composer/issues/11562))" which caused a regression ([#​11617](https://togithub.com/composer/composer/issues/11617)) - Fixed non-zero exit code on failed audits to only apply to `install --audit` runs and not implicit audits with `require`, `create-project` or `update` commands ([#​11616](https://togithub.com/composer/composer/issues/11616)) - Fixed `create-project` infinite post-install loop in some circumstances ([#​11613](https://togithub.com/composer/composer/issues/11613)) ### [`v2.6.1`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#261-2023-09-01) [Compare Source](https://togithub.com/composer/composer/compare/2.6.0...2.6.1) - Reverted "Fixed executability of non-php binaries which are not marked executable ([#​11557](https://togithub.com/composer/composer/issues/11557))" which caused a regression ([#​11612](https://togithub.com/composer/composer/issues/11612)) ### [`v2.6.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#260-2023-09-01) [Compare Source](https://togithub.com/composer/composer/compare/2.5.8...2.6.0) - Added audit.ignore config setting to ignore security advisories by id or CVE id ([#​11556](https://togithub.com/composer/composer/issues/11556), [#​11605](https://togithub.com/composer/composer/issues/11605)) - Added `rm` alias to the `remove` command ([#​11367](https://togithub.com/composer/composer/issues/11367)) - Added runtime platform check to verify the php-64bit requirement is met ([#​11334](https://togithub.com/composer/composer/issues/11334)) - Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka ([#​11418](https://togithub.com/composer/composer/issues/11418)) - Added `--dry-run` to `dump-autoload` command to allow running --strict-psr checks without modifying the filesystem ([#​11608](https://togithub.com/composer/composer/issues/11608)) - Added support for `bump`ing patch level in `~1.2.3` constraints ([#​11590](https://togithub.com/composer/composer/issues/11590)) - Added prompt in `require` if the package name is not found but similar ones exist ([#​11284](https://togithub.com/composer/composer/issues/11284)) - Added support for env vars and `~` in repository paths for vcs and artifact repositories ([#​11453](https://togithub.com/composer/composer/issues/11453)) - Added support for local directory paths for repositories of type `composer` ([#​11526](https://togithub.com/composer/composer/issues/11526)) - Added links to package homepages in `why`/`why-not` command output ([#​11308](https://togithub.com/composer/composer/issues/11308)) - Added a `security` key to the `support` key of composer.json to set the URL to the vulnerability disclosure policy ([#​11271](https://togithub.com/composer/composer/issues/11271)) - Added support for gathering security advisories from multiple repositories for a single package ([#​11436](https://togithub.com/composer/composer/issues/11436)) - Fixed `install` exit code to be non-zero (5) if a requested security audit failed ([#​11362](https://togithub.com/composer/composer/issues/11362)) - \~~Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#​11562](https://togithub.com/composer/composer/issues/11562))~~ (Reverted in 2.6.2) - \~~Fixed executability of non-php binaries which are not marked executable ([#​11557](https://togithub.com/composer/composer/issues/11557))~~ (Reverted in 2.6.1) - Fixed `mtime` modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen ([#​11593](https://togithub.com/composer/composer/issues/11593)) - Fixed `create-project` using the wrong composer.json file if one was set via the `COMPOSER` env var ([#​11493](https://togithub.com/composer/composer/issues/11493)) - Fixed json editing to preserve indentation when updating json files ([#​11390](https://togithub.com/composer/composer/issues/11390)) - Fixed handling of broken junctions on windows ([#​11550](https://togithub.com/composer/composer/issues/11550)) - Fixed parsing of lib-curl-openssl version with OSX SecureTransport ([#​11534](https://togithub.com/composer/composer/issues/11534)) - Fixed svn repo parsing in some edge cases ([#​11350](https://togithub.com/composer/composer/issues/11350)) - Fixed handling of archive URLs without file extension ([#​11520](https://togithub.com/composer/composer/issues/11520)) - Performance improvement in pool optimization step ([#​11449](https://togithub.com/composer/composer/issues/11449), [#​11450](https://togithub.com/composer/composer/issues/11450)) ### [`v2.5.8`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#258-2023-06-09) [Compare Source](https://togithub.com/composer/composer/compare/2.5.7...2.5.8) - Fixed regression in edge cases where root package gets added to a repository already during the install process ([#​11495](https://togithub.com/composer/composer/issues/11495)) - Fixed EventDispatcher on windows picking bat files when using "[@​php](https://togithub.com/php) binary" ([#​11490](https://togithub.com/composer/composer/issues/11490)) - Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle ([#​11492](https://togithub.com/composer/composer/issues/11492)) - Fixed type declarations on ClassLoader ([#​11500](https://togithub.com/composer/composer/issues/11500)) ### [`v2.5.7`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#257-2023-05-24) [Compare Source](https://togithub.com/composer/composer/compare/2.5.6...2.5.7) - Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev ([#​11481](https://togithub.com/composer/composer/issues/11481)) ### [`v2.5.6`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#256-2023-05-24) [Compare Source](https://togithub.com/composer/composer/compare/2.5.5...2.5.6) - BC Warning: Installers and `InstallationManager::getInstallPath` will now return `null` instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely ([#​11455](https://togithub.com/composer/composer/issues/11455)) - Fixed metapackages showing their install path as the root package's path instead of empty ([#​11455](https://togithub.com/composer/composer/issues/11455)) - Fixed lock file verification on `install` to deal better with `replace`/`provide` ([#​11475](https://togithub.com/composer/composer/issues/11475)) - Fixed lock file having a more recent modification time than the vendor dir when `require` guesses the constraint after resolution ([#​11405](https://togithub.com/composer/composer/issues/11405)) - Fixed numeric default branches with a `v` prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would ([`e51d755`](https://togithub.com/composer/composer/commit/e51d755a08)) - Fixed binary proxies not being transparent when included by another PHP process and returning a value ([#​11454](https://togithub.com/composer/composer/issues/11454)) - Fixed support for plugin classes being marked as `readonly` ([#​11404](https://togithub.com/composer/composer/issues/11404)) - Fixed `getmypid` being required as it is not always available ([#​11401](https://togithub.com/composer/composer/issues/11401)) - Fixed authentication issue when downloading several files from private Bitbucket in parallel ([#​11464](https://togithub.com/composer/composer/issues/11464)) ### [`v2.5.5`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#255-2023-03-21) [Compare Source](https://togithub.com/composer/composer/compare/2.5.4...2.5.5) - Fixed basic auth failures resulting in infinite retry loop ([#​11320](https://togithub.com/composer/composer/issues/11320)) - Fixed GitHub rate limit reporting ([#​11366](https://togithub.com/composer/composer/issues/11366)) - Fixed InstalledVersions error in Composer 1 compatibility edge case ([#​11304](https://togithub.com/composer/composer/issues/11304)) - Fixed issue displaying solver problems with branch names containing `%` signs ([#​11359](https://togithub.com/composer/composer/issues/11359)) - Fixed race condition in cache validity detection when running Composer highly concurrently ([#​11375](https://togithub.com/composer/composer/issues/11375)) - Fixed various minor config command issues ([#​11353](https://togithub.com/composer/composer/issues/11353), [#​11302](https://togithub.com/composer/composer/issues/11302)) ### [`v2.5.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#254-2023-02-15) [Compare Source](https://togithub.com/composer/composer/compare/2.5.3...2.5.4) - Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks ([#​11318](https://togithub.com/composer/composer/issues/11318)) ### [`v2.5.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#253-2023-02-10) [Compare Source](https://togithub.com/composer/composer/compare/2.5.2...2.5.3) - Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive ([#​11315](https://togithub.com/composer/composer/issues/11315)) ### [`v2.5.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#252-2023-02-04) [Compare Source](https://togithub.com/composer/composer/compare/2.5.1...2.5.2) - Added warning when `require` auto-selects a feature branch as that is probably not desired ([#​11270](https://togithub.com/composer/composer/issues/11270)) - Fixed `self.version` requirements reporting lock file integrity errors when changing branches ([#​11283](https://togithub.com/composer/composer/issues/11283)) - Fixed `require` regression which broke the --fixed flag ([#​11247](https://togithub.com/composer/composer/issues/11247)) - Fixed security audit reports loading when exclude/only filter rules are used on a repository ([#​11281](https://togithub.com/composer/composer/issues/11281)) - Fixed autoloading regression on PHP 5.6 ([#​11285](https://togithub.com/composer/composer/issues/11285)) - Fixed archive command including an existing archive into itself if run repeatedly ([#​11239](https://togithub.com/composer/composer/issues/11239)) - Fixed dev package prompt in `require` not appearing in some conditions ([#​11287](https://togithub.com/composer/composer/issues/11287))

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

Read more about the use of Renovate Bot within ocramius/* projects.