build(deps): bump composer/composer from 2.3.9 to 2.4.1 in /composer/helpers/v2

[dependabot]

Bumps composer/composer from 2.3.9 to 2.4.1.

Release notes

Sourced from composer/composer's releases.

2.4.1

• Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit flag in CI (#10998)
• Fixed show command showing packages in two sections, this was only meant for the outdated command (#11000)
• Fixed local git repos being copied to cache unnecessarily (#11001)
• Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)

2.4.0

Read the Composer 2.4 Release Announcement for more details on the release highlights.

Complete Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added json format output to the check-platform-reqs command (#10979)
• Added GitLab 15+ token refresh support (#10988)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)

2.4.0-RC1

Composer 2.4 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.4.0-RC1
• Running composer self-update --stable will get you back on the latest 2.3 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.4 RC and please include stack traces & repro details.

Full Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added r alias to require command (#10953)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.4.1] 2022-08-20

• Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit flag in CI (#10998)
• Fixed show command showing packages in two sections, this was only meant for the outdated command (#11000)
• Fixed local git repos being copied to cache unnecessarily (#11001)
• Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)

[2.4.0] 2022-08-16

• Added json format output to the new audit command (#10965)
• Added json format output to the check-platform-reqs command (#10979)
• Added GitLab 15+ token refresh support (#10988)
• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
• Fixed various bash completion issues

[2.4.0-RC1] 2022-07-21

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)

[2.3.10] 2022-07-13

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
• Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
• Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
• Fixed support for disable_functions containing disk_free_space (#10936)
• Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)

Commits

• 777d542 Release 2.4.1
• 7ec6d16 Update changelog
• ceb8bef Adding hint what "Direct dependencies" means (#11013)
• d2d8474 Do not apply non-array package links in ArrayLoader (#11008)
• 5177469 Do not apply non-string package link constraints in ArrayLoader (#11009)
• 7ccf230 Fix cache invalidation issue when a git tag gets created on an old ref after ...
• cad5dc5 Match default choice to actual default (#11010)
• 20b3e3e Fix docs for issue composer/satis#656 (#11005)
• 6b31fbe Update pull_request_template.md
• c529087 performance: Do not create a local cache repo for local repos (#11001)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jeffwidman]

Test failing because Composer also has to be bumped in the dockerfile:

dependabot-core/composer/spec/dependabot/composer_spec.rb

Lines 11 to 18 in 4e854a5

	# Hello fellow composer updater! If you're reading this, you're probably
	# wondering why this test is failing. Well, it's because the version of the
	# natively installed composer binary is different to the version specified
	# in the native helper.
	#
	# If you've updated the composer version in
	# composer/helpers/v2/composer.lock, you also need to bump it in the
	# Dockerfile.

But need to coordinate this to get Dependabot to first update it to the latest, then push the dockerfile change over the top of that.

[jeffwidman]

Looking at the changelog, there's actually a lot of changes in Composer, some of which may be useful to us... ie, we may be able to replace our native ruby re-implementations with simple flags passed to composer for some things. So I don't want to be in a hurry to merge this one until I better understand how the composer shelling out works and possibly sync with @jurre for a second opinion.

[jurre]

native ruby re-implementations

We rely on some PHP code that uses Composer as a library for most things today (in composer/helpers/), but, if we can replace that by commands that execute composer instead, I'm all for it. If that's something that we can do incrementally, I think it might be worth merging this PR first and then following up with some smaller targeted PRs that replace parts of what we currently do "manually" with a composer command.

[jeffwidman]

I looked into this more, and they have a new audit command that's enabled by default for composer update (but not composer install). This command always does an API call to Packagist to check for security vulnerabilities for each package. We probably want to disable this by default, so I'm blocking this PR for now to ensure no one accidentally merges it w/o looking into this in more detail.

I also created a dedicated issue for it:

• Upgrade composer to 2.4 #5720

[dependabot]

A newer version of composer/composer exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

[jeffwidman]

@dependabot recreate

[dependabot]

Superseded by #6385.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.