Bumped composer-runtime-api and composer-plugin-api to 2.2.0
UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
Added a --source flag to config command to show where config values are loaded from (#10129)
Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
Added retry behavior on certain http status and curl error codes (#10162)
Added abandoned flag display in search command output
Added support for --ignore-platform-reqs in outdated command (#10293)
Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
Added support for using dev-main as the default path repo package version if no VCS info is available (#10372)
Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#10371)
Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
Fixed unlocking of replacers when a replaced package is unlocked (#10280)
Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
Fixed handling of recursive package links (e.g. requiring or replacing oneself)
Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
Fixed archive command to produce archives with files sorted by name (#10274)
Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
Fixed self-update failing in some edge cases due to loading plugins (#10371)
Fixed display of conflicts showing the wrong package name in some conditions (#10355)
Fixed some error reporting issues (#10283, #10339)
2.2.0-RC1
Composer 2.2 will be LTS
Read more about the LTS plan and PHP version support in the upcoming Composer 2.3 if you're using a legacy PHP version.
Try it out now and get ready for the upcoming stable release
Use composer self-update --preview to try the latest prerelease version.
Use composer self-update --stable to go back to stable releases.
Changelog
Bumped composer-runtime-api and composer-plugin-api to 2.2.0
UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
Added support for using dev-main as the default path repo package version if no VCS info is available (#10372)
Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#10371)
Fixed self-update failing in some edge cases due to loading plugins (#10371)
Fixed display of conflicts showing the wrong package name in some conditions (#10355)
[2.2.0-RC1] 2021-12-08
Bumped composer-runtime-api and composer-plugin-api to 2.2.0
UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
Added a --source flag to config command to show where config values are loaded from (#10129)
Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
Added retry behavior on certain http status and curl error codes (#10162)
Added abandoned flag display in search command output
Added support for --ignore-platform-reqs in outdated command (#10293)
Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
Fixed unlocking of replacers when a replaced package is unlocked (#10280)
Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
Fixed handling of recursive package links (e.g. requiring or replacing oneself)
Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
Fixed archive command to produce archives with files sorted by name (#10274)
Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
Fixed some error reporting issues (#10283, #10339)
[2.1.14] 2021-11-30
Fixed invalid release build
[2.1.13] 2021-11-30
Removed symfony/console ^6 support as we cannot be compatible until Composer 2.3.0 is released. If you have issues with Composer required as a dependency + Symfony make sure you stay on Symfony 5.4 for now. (#10321)
[2.1.12] 2021-11-09
Fixed issues in proxied binary files relying on FILE / DIR on php <8 (#10261)
Fixed 9999999-dev being shown in some cases by the show command (#10260)
Fixed GitHub Actions output escaping regression on PHP 8.1 (#10250)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps composer/composer from 2.0.13 to 2.2.0.
Release notes
Sourced from composer/composer's releases.
... (truncated)
Changelog
Sourced from composer/composer's changelog.
... (truncated)
Commits
e174a4c
Release 2.2.0613980b
Update baselinef0060b7
Use web URLs for Gitlab support metadata (#10377)54123e4
Fix autoloader compatibility with older releases of laminas/laminas-zendframe...756c51d
Update changelog188b692
Add test verifying only plugin deps are autoloaded (#10374)71ab70d
Disable files autoloading for scripts to avoid untrusted code execution at ru...8f1b3d2
Add --no-scripts to all commands and disable plugins/scripts when running sel...24eac88
Switch the default version in path repo packages to dev-main and add a dev-ma...95e41ae
Fix phpstanDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)