Skip to content

Bump composer/composer from 2.9.7 to 2.10.0 in the composer group across 1 directory#439

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/composer/composer-bbc79bbd8a
Open

Bump composer/composer from 2.9.7 to 2.10.0 in the composer group across 1 directory#439
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/composer/composer-bbc79bbd8a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited
Loading

Bumps the composer group with 1 update in the / directory: composer/composer.

Updates composer/composer from 2.9.7 to 2.10.0

Release notes

Sourced from composer/composer's releases.

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

Full Changelog: composer/composer@2.9.8...2.10.0

2.10.0-RC2

Composer 2.10 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

  • Running composer self-update --preview will get you the 2.10.0-RC2
  • Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke.
  • Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details.

Full Changelog

  • Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
  • Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
  • Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
  • Enabled blocking of malware packages at install time by default
  • Fixed --no-plugins handling regression (#12789)
  • Fixed regression in startup performance when many scripts are defined (#12832)
  • Improved classmap dumping performance

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.0] 2026-05-28

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

  • Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
  • Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
  • Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
  • Enabled blocking of malware packages at install time by default
  • Fixed --no-plugins handling regression (#12789)
  • Fixed regression in startup performance when many scripts are defined (#12832)
  • Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

  • Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)

[2.9.8] 2026-05-13

Commits
  • c13824d Release 2.10.0
  • 02449ad Update changelog
  • 502e66a Relax token validation on input, and hide more things on output (#12886)
  • 4f95709 Merge pull request #12874 from cs278/patch-1
  • b902ec8 Merge pull request #12885 from Seldaek/source-fallback-disable
  • 2fc4bee Add deprecated flag
  • 54b78ad Merge pull request #12884 from Seldaek/schemefixes
  • 5413c3c Use 'dependency policy' terminology in docs and user-facing output, drop audi...
  • f240bbe audit cmd: remove --filtered option, change status code to 0/1
  • 624acb6 Use 'dependency policy' terminology in docs and user-facing output
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
@dependabot
Bump composer/composer in the composer group across 1 directory
61a723c 
Bumps the composer group with 1 update in the / directory: [composer/composer](https://github.com/composer/composer).


Updates `composer/composer` from 2.9.7 to 2.10.0
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.9.7...2.10.0)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.9.8
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump composer/composer from 2.9.7 to 2.9.8 in the composer group across 1 directory Bump composer/composer from 2.9.7 to 2.10.0 in the composer group across 1 directory May 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/composer/composer-bbc79bbd8a branch from fe35a54 to 61a723c Compare May 28, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants