Update Composer version to address vulnerability from GitHub

[chrislaick]

https://github.com/advisories/GHSA-47f6-5gq3-vx9c

We are currently using 10.2.x-php8.2 branch of drupalwxt/docker-scaffold and Composer is locked at 2.7.6:

https://github.com/drupalwxt/docker-scaffold/blob/10.2.x-php8.2/Dockerfile

The current latest stable release of Composer is 2.7.9. Recommend updating the Composer version to address the vulnerability for both 10.2.x and 10.2.x-php8.2 branches.

[smulvih2]

Hey Chris, thanks for posting the issue! Take a look at this PR - https://github.com/drupalwxt/docker-scaffold/pull/45

This provides the update to 2.7.9 as a default, as well as supports passing the COMPOSER_VERSION through the .env file so this can be done per project while waiting for docker-scaffold to upgrade. I haven't tested this yet, but I was looking to do this for other things as well so would be great to get your input on this approach and if it works for you.

[chrislaick]

Hi Stephen, this approach would work nicely for us. It'll be great to have control over the COMPOSER_VERSION on a per project basis without having to wait for updates.

[smulvih2]

If you can test out my feature branch and let me know it works for you that would be great. I'll test it on my end based on 10.3.x and report back.

[chrislaick]

Tested on 10.2.x and is working as expected. See comments.

[chrislaick]

Hi @smulvih2. Anything I can do to help move this along? I can also test the PR on 10.3.x. Thanks!