Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
Added --locked to depends/prohibits commands (#10834)
Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
Added sections for direct and transitive deps in outdated command output (#10779)
Added ability for cache GC to clean up vcs and repo caches (#10826)
Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
2.4.0-RC1
Composer 2.4 is ready for a release, and we need your help to test it and report any regression.
Please try it out!
Running composer self-update --preview will get you the 2.4.0-RC1
Running composer self-update --stable will get you back on the latest 2.3 stable release if anything broke.
Report any issues you encounter as a new issue specifying you tried the 2.4 RC and please include stack traces & repro details.
Full Changelog
Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
Added bump command to bump requirements to the currently installed version (#10829)
Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
Added --audit to install command to also do an audit (#10798, #10898)
Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
Added --locked to depends/prohibits commands (#10834)
Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
Added sections for direct and transitive deps in outdated command output (#10779)
Added ability for cache GC to clean up vcs and repo caches (#10826)
Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
[2.3.10] 2022-07-13
Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
Fixed support for disable_functions containing disk_free_space (#10936)
Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
[2.3.9] 2022-07-05
Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps composer/composer from 2.0.13 to 2.4.1.
Release notes
Sourced from composer/composer's releases.
... (truncated)
Changelog
Sourced from composer/composer's changelog.
... (truncated)
Commits
777d542
Release 2.4.17ec6d16
Update changelogceb8bef
Adding hint what "Direct dependencies" means (#11013)d2d8474
Do not apply non-array package links in ArrayLoader (#11008)5177469
Do not apply non-string package link constraints in ArrayLoader (#11009)7ccf230
Fix cache invalidation issue when a git tag gets created on an old ref after ...cad5dc5
Match default choice to actual default (#11010)20b3e3e
Fix docs for issue composer/satis#656 (#11005)6b31fbe
Update pull_request_template.mdc529087
performance: Do not create a local cache repo for local repos (#11001)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)