Bump composer/composer from 2.8.6 to 2.10.0

[dependabot]

Bumps composer/composer from 2.8.6 to 2.10.0.

Release notes

Sourced from composer/composer's releases.

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

Full Changelog: composer/composer@2.9.8...2.10.0

2.10.0-RC2

Composer 2.10 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.10.0-RC2
• Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details.

Full Changelog

• Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
• Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
• Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
• Enabled blocking of malware packages at install time by default
• Fixed --no-plugins handling regression (#12789)
• Fixed regression in startup performance when many scripts are defined (#12832)
• Improved classmap dumping performance

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.0] 2026-05-28

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

• Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
• Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
• Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
• Enabled blocking of malware packages at install time by default
• Fixed --no-plugins handling regression (#12789)
• Fixed regression in startup performance when many scripts are defined (#12832)
• Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

• Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)

[2.9.8] 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

[2.9.7] 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)

... (truncated)

Commits

• c13824d Release 2.10.0
• 02449ad Update changelog
• 502e66a Relax token validation on input, and hide more things on output (#12886)
• 4f95709 Merge pull request #12874 from cs278/patch-1
• b902ec8 Merge pull request #12885 from Seldaek/source-fallback-disable
• 2fc4bee Add deprecated flag
• 54b78ad Merge pull request #12884 from Seldaek/schemefixes
• 5413c3c Use 'dependency policy' terminology in docs and user-facing output, drop audi...
• f240bbe audit cmd: remove --filtered option, change status code to 0/1
• 624acb6 Use 'dependency policy' terminology in docs and user-facing output
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)