2.8.3

• Fixed windows handling of process discovery (#12180)
• Fixed react/promise requirement to allow 2.x installs again (#12188)
• Fixed some issues when lock:false is set in require and bump commands

Full Changelog: 2.8.2...2.8.3

2.8.2

• Fixed crash while suggesting providers if they have no description (#12152)
• Fixed issues creating lock files violating the schema in some circumstances (#12149)
• Fixed create-project regression in 2.8.1 when using path repos with relative paths (#12150)
• Fixed ctrl-C aborts not working inside text prompts (#12106)
• Fixed git failing silently when git cannot read a repo due to ownership violations (#12178)
• Fixed handling of signals in non-PHP binaries run via proxies (#12176)

Full Changelog: 2.8.1...2.8.2

2.8.1

• Fixed init command regression when no license is provided (#12145)
• Fixed --strict-ambiguous flag handling whereas it sometimes did not report all issues (#12148)
• Fixed create-project to inherit the target folder's permissions for installed project files (#12146)
• Fixed a few cases where the prompt for using a parent dir's composer.json fails to work correctly (#8023)

Full Changelog: 2.8.0...2.8.1

2.8.0

• BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes (#11938, #11915)
• Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer (#12122)
• Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting (#12091)
• Added --ignore-severity flag to the audit command to ignore one or more advisory severities (#12132)
• Added --bump-after-update flag to the update command to run bump after the update is done (#11942)
• Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs (#12086)
• Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies (#11966)
• Added a JSON schema for the composer.lock file (#12123)
• Added better support for Bitbucket app passwords when cloning repos / installing from source (#12103)
• Added --type flag to filter packages by type(s) in the reinstall command (#12114)
• Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found (#12119)
• Added warning in dump-autoload when vendor files have been deleted (#12139)
• Added warnings for each missing platform package when running create-project to avoid having to run it again and again (#12120)
• Added sorting of packages in allow-plugins when sort-packages is enabled (#11348)
• Added suggestion of provider packages / polyfills when an ext or lib package is missing (#12113)
• Improved interactive package update selection by first outputting all packages and their possible updates (#11990)
• Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way (#12111)
• Fixed PHP 8.4 deprecation warnings about E_STRICT (#12116)
• Fixed init command to validate the given license identifier (#12115)
• Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches (#12129)
• Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0 (#12109)
• Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs (#12112)
• Fixed php://stdin potentially being open several times when running Composer programmatically (#12107)
• Fixed handling of platform packages in why-not command and partial updates (#12110)
• Reverted "Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)" from 2.7.8 as it was broken

Full Changelog: 2.7.9...2.8.0

2.7.9

• Fixed Docker detection breaking on constrained environments (#12095)
• Fixed upstream issue in bash completion script, it is recommended to update it using the completion command (#12015)

Full Changelog: 2.7.8...2.7.9

2.7.8

• Added release-age, release-date and latest-release-date in the JSON output of outdated (#12053)
• Fixed PHP 8.4 deprecation warnings
• Fixed addressability of branches containing # signs (#12042)
• Fixed bump command not handling some ~ constraints correctly (#12038)
• Fixed COMPOSER_AUTH not taking precedence over ./auth.json (#12084)
• Fixed relative: true sometimes not being respected in path repo symlinks (#12092)
• Fixed copy from cache sometimes failing on VirtualBox shared folders (#12057)
• Fixed PSR-4 autoloading order regression in some edge case (#12063)
• Fixed duplicate lib-* packages causing issues when having pecl + core versions of the same PHP extension (#12093)
• Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)
• Fixed memory issues when installing large binaries (#12032)
• Fixed archive command crashing when a path cannot be realpath'd on windows (#11544)
• API: Deprecated BasePackage::$stabilities in favor of BasePackage::STABILITIES (685add7)
• Improved Docker detection (#12062)

Full Changelog: 2.7.7...2.7.8

2.7.7

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
• Security: Fixed perforce argument escaping (3773f77)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion, reported by Splitline Huang (3130a74, 04a63b3)
• Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
• Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
• Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
• Fixed ability for config command to remove autoload keys (#11967)
• Fixed empty type support in init command (#11999)
• Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
• Fixed regression showing network errors on PHP <8.1 (#11974)
• Fixed some color bleed from a few warnings (#11972)

Full Changelog: 2.7.6...2.7.7

2.2.24

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

• Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
• Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
• Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
• Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
• Security: Fixed perforce argument escaping (3773f77)
• Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
• Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a74, 04a63b3)

2.7.6

• Fixed regression when script handlers add an autoloader which uses a private callback (#11960)

2.7.5

• Added uninstall alias to remove command (#11951)
• Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
• Fixed root usage warnings showing up within Podman containers (#11946)
• Fixed config command not handling objects correctly in some conditions (#11945)
• Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
• Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
• Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)