Update dependency composer/composer to ^2.6.4

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
composer/composer (source)	`^2.4.4` -> `^2.6.4`

GitHub Vulnerability Alerts

CVE-2023-43655

Impact

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has register_argc_argv enabled in php.ini.

Patches

2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.

Workarounds

Make sure register_argc_argv is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

Release Notes

composer/composer (composer/composer)

### [`v2.6.4`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#264-2023-09-29) [Compare Source](https://togithub.com/composer/composer/compare/2.6.3...2.6.4) - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655) - Fixed json output of abandoned packages in audit command ([#11647](https://togithub.com/composer/composer/issues/11647)) - Performance improvement in pool optimization step ([#11638](https://togithub.com/composer/composer/issues/11638)) - Performance improvement in `show -a ` ([#11659](https://togithub.com/composer/composer/issues/11659)) ### [`v2.6.3`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#263-2023-09-15) [Compare Source](https://togithub.com/composer/composer/compare/2.6.2...2.6.3) - Added audit.abandoned config setting. Can be set to `ignore`, `report` (current default) or `fail` (future default in 2.7) to make the audit command report abandoned packages as a security problem ([#11639](https://togithub.com/composer/composer/issues/11639)) - Added a warning when duplicates `files` autoload rules are detected ([#11109](https://togithub.com/composer/composer/issues/11109)) - Fixed unhandled promise rejection regression ([#11620](https://togithub.com/composer/composer/issues/11620)) - Fixed loading of root aliases on path repo packages when doing partial updates ([#11632](https://togithub.com/composer/composer/issues/11632)) - Fixed `archive` command not producing the correct output if the temp dir is a symlink ([#11636](https://togithub.com/composer/composer/issues/11636)) - Fixed some replaced packages being incorrectly missing when unlocked in a partial update ([#11629](https://togithub.com/composer/composer/issues/11629)) ### [`v2.6.2`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#262-2023-09-03) [Compare Source](https://togithub.com/composer/composer/compare/2.6.1...2.6.2) - Reverted "Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))" which caused a regression ([#11617](https://togithub.com/composer/composer/issues/11617)) - Fixed non-zero exit code on failed audits to only apply to `install --audit` runs and not implicit audits with `require`, `create-project` or `update` commands ([#11616](https://togithub.com/composer/composer/issues/11616)) - Fixed `create-project` infinite post-install loop in some circumstances ([#11613](https://togithub.com/composer/composer/issues/11613)) ### [`v2.6.1`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#261-2023-09-01) [Compare Source](https://togithub.com/composer/composer/compare/2.6.0...2.6.1) - Reverted "Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))" which caused a regression ([#11612](https://togithub.com/composer/composer/issues/11612)) ### [`v2.6.0`](https://togithub.com/composer/composer/blob/HEAD/CHANGELOG.md#260-2023-09-01) [Compare Source](https://togithub.com/composer/composer/compare/2.5.8...2.6.0) - Added audit.ignore config setting to ignore security advisories by id or CVE id ([#11556](https://togithub.com/composer/composer/issues/11556), [#11605](https://togithub.com/composer/composer/issues/11605)) - Added `rm` alias to the `remove` command ([#11367](https://togithub.com/composer/composer/issues/11367)) - Added runtime platform check to verify the php-64bit requirement is met ([#11334](https://togithub.com/composer/composer/issues/11334)) - Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka ([#11418](https://togithub.com/composer/composer/issues/11418)) - Added `--dry-run` to `dump-autoload` command to allow running --strict-psr checks without modifying the filesystem ([#11608](https://togithub.com/composer/composer/issues/11608)) - Added support for `bump`ing patch level in `~1.2.3` constraints ([#11590](https://togithub.com/composer/composer/issues/11590)) - Added prompt in `require` if the package name is not found but similar ones exist ([#11284](https://togithub.com/composer/composer/issues/11284)) - Added support for env vars and `~` in repository paths for vcs and artifact repositories ([#11453](https://togithub.com/composer/composer/issues/11453)) - Added support for local directory paths for repositories of type `composer` ([#11526](https://togithub.com/composer/composer/issues/11526)) - Added links to package homepages in `why`/`why-not` command output ([#11308](https://togithub.com/composer/composer/issues/11308)) - Added a `security` key to the `support` key of composer.json to set the URL to the vulnerability disclosure policy ([#11271](https://togithub.com/composer/composer/issues/11271)) - Added support for gathering security advisories from multiple repositories for a single package ([#11436](https://togithub.com/composer/composer/issues/11436)) - Fixed `install` exit code to be non-zero (5) if a requested security audit failed ([#11362](https://togithub.com/composer/composer/issues/11362)) - \~~Fixed binary proxies causing scripts inspecting `$_SERVER['SCRIPT_NAME']` to detect them, they are now more transparent ([#11562](https://togithub.com/composer/composer/issues/11562))~~ (Reverted in 2.6.2) - \~~Fixed executability of non-php binaries which are not marked executable ([#11557](https://togithub.com/composer/composer/issues/11557))~~ (Reverted in 2.6.1) - Fixed `mtime` modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen ([#11593](https://togithub.com/composer/composer/issues/11593)) - Fixed `create-project` using the wrong composer.json file if one was set via the `COMPOSER` env var ([#11493](https://togithub.com/composer/composer/issues/11493)) - Fixed json editing to preserve indentation when updating json files ([#11390](https://togithub.com/composer/composer/issues/11390)) - Fixed handling of broken junctions on windows ([#11550](https://togithub.com/composer/composer/issues/11550)) - Fixed parsing of lib-curl-openssl version with OSX SecureTransport ([#11534](https://togithub.com/composer/composer/issues/11534)) - Fixed svn repo parsing in some edge cases ([#11350](https://togithub.com/composer/composer/issues/11350)) - Fixed handling of archive URLs without file extension ([#11520](https://togithub.com/composer/composer/issues/11520)) - Performance improvement in pool optimization step ([#11449](https://togithub.com/composer/composer/issues/11449), [#11450](https://togithub.com/composer/composer/issues/11450))

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

Read more information about the use of Renovate Bot within Laminas.

laminas / laminas-component-installer