Sourced from composer/composer's\r\nreleases.
\r\n\r\n\r\n2.7.0
\r\n\r\n
\r\n- Security: Fixed code execution and possible privilege escalation via\r\ncompromised vendor dir contents (GHSA-7c6p-848j-wh5h /\r\nCVE-2024-24821)
\r\n- Changed the default of the
\r\naudit.abandoned
config\r\nsetting tofail
, set it toreport
or\r\nignore
if you do not want this, or set it via\r\nCOMPOSER_AUDIT_ABANDONED
env var (#11643)- Added --minimal-changes (-m) flag to\r\n
\r\nupdate
/require
/remove
commands to\r\nperform partial update with --with-dependencies while changing only what\r\nis absolutely necessary in transitive dependencies (#11665)- Added --sort-by-age (-A) flag to\r\n
\r\noutdated
/show
commands to allow sorting by and\r\ndisplaying the release date (most outdated first) (#11762)- Added support for
\r\n--self
combined with\r\n--installed
or--locked
inshow
\r\ncommand, to add the root package to the package list being output (#11785)- Added severity information to
\r\naudit
command output (#11702)- Added
\r\nscripts-aliases
top level key in composer.json to\r\ndefine aliases for custom scripts you defined (#11666)- Added IPv4 fallback on connection timeout, as well as a\r\n
\r\nCOMPOSER_IPRESOLVE
env var to force IPv4 or IPv6, set it to\r\n4
or6
(#11791)- Added support for wildcards in
\r\noutdated
's --ignore arg\r\n(#11831)- Added support for
\r\nbump
command bumping*
\r\nto>=current version
(#11694)- Added detection of constraints that cannot possibly match anything\r\nto
\r\nvalidate
command (#11829)- Added package source information to the output of\r\n
\r\ninstall
when running in very verbose (-vv) mode (#11763)- Added audit of Composer's own bundled dependencies in\r\n
\r\ndiagnose
command (#11761)- Added GitHub token expiration date to
\r\ndiagnose
command\r\noutput (#11688)- Added non-zero status code to why/why-not commands (#11796)
\r\n- Added error when calling
\r\nshow --direct <package>
\r\nwith an indirect/transitive dependency (#11728)- Added
\r\nCOMPOSER_FUND=0
env var to hide calls for funding\r\n(#11779)- Fixed
\r\nbump
command not bumping packages required with a\r\nv
prefix (#11764)- Fixed automatic disabling of plugins when running non-interactive as\r\nroot
\r\n- Fixed
\r\nupdate --lock
not keeping the dist\r\nreference/url/checksum pinned (#11787)- Fixed
\r\nrequire
command crashing at the end if no lock\r\nfile is present (#11814)- Fixed root aliases causing problems when auditing locked\r\ndependencies (#11771)
\r\n- Fixed handling of versions with 4 components in
\r\nrequire
\r\ncommand (#11716)- Fixed compatibility issues with Symfony 7
\r\n- Fixed composer.json remaining behind after a --dry-run of the\r\n
\r\nrequire
command (#11747)- Fixed warnings being shown incorrectly under some circumstances (#11786,\r\n#11760,\r\n#11803)
\r\n2.6.6
\r\n\r\n
Sourced from composer/composer's\r\nchangelog.
\r\n\r\n\r\n[2.7.0] 2024-02-08
\r\n\r\n
\r\n- Security: Fixed code execution and possible privilege escalation via\r\ncompromised vendor dir contents (GHSA-7c6p-848j-wh5h /\r\nCVE-2024-24821)
\r\n- Changed the default of the
\r\naudit.abandoned
config\r\nsetting tofail
, set it toreport
or\r\nignore
if you do not want this, or set it via\r\nCOMPOSER_AUDIT_ABANDONED
env var (#11643)- Added --minimal-changes (-m) flag to\r\n
\r\nupdate
/require
/remove
commands to\r\nperform partial update with --with-dependencies while changing only what\r\nis absolutely necessary in transitive dependencies (#11665)- Added --sort-by-age (-A) flag to\r\n
\r\noutdated
/show
commands to allow sorting by and\r\ndisplaying the release date (most outdated first) (#11762)- Added support for
\r\n--self
combined with\r\n--installed
or--locked
inshow
\r\ncommand, to add the root package to the package list being output (#11785)- Added severity information to
\r\naudit
command output (#11702)- Added
\r\nscripts-aliases
top level key in composer.json to\r\ndefine aliases for custom scripts you defined (#11666)- Added IPv4 fallback on connection timeout, as well as a\r\n
\r\nCOMPOSER_IPRESOLVE
env var to force IPv4 or IPv6, set it to\r\n4
or6
(#11791)- Added support for wildcards in
\r\noutdated
's --ignore arg\r\n(#11831)- Added support for
\r\nbump
command bumping*
\r\nto>=current version
(#11694)- Added detection of constraints that cannot possibly match anything\r\nto
\r\nvalidate
command (#11829)- Added package source information to the output of\r\n
\r\ninstall
when running in very verbose (-vv) mode (#11763)- Added audit of Composer's own bundled dependencies in\r\n
\r\ndiagnose
command (#11761)- Added GitHub token expiration date to
\r\ndiagnose
command\r\noutput (#11688)- Added non-zero status code to why/why-not commands (#11796)
\r\n- Added error when calling
\r\nshow --direct <package>
\r\nwith an indirect/transitive dependency (#11728)- Added
\r\nCOMPOSER_FUND=0
env var to hide calls for funding\r\n(#11779)- Fixed
\r\nbump
command not bumping packages required with a\r\nv
prefix (#11764)- Fixed automatic disabling of plugins when running non-interactive as\r\nroot
\r\n- Fixed
\r\nupdate --lock
not keeping the dist\r\nreference/url/checksum pinned (#11787)- Fixed
\r\nrequire
command crashing at the end if no lock\r\nfile is present (#11814)- Fixed root aliases causing problems when auditing locked\r\ndependencies (#11771)
\r\n- Fixed handling of versions with 4 components in
\r\nrequire
\r\ncommand (#11716)- Fixed compatibility issues with Symfony 7
\r\n- Fixed composer.json remaining behind after a --dry-run of the\r\n
\r\nrequire
command (#11747)- Fixed warnings being shown incorrectly under some circumstances (#11786,\r\n#11760,\r\n#11803)
\r\n[2.6.6] 2023-12-08
\r\n\r\n
96d107e
\r\nRelease 2.7.0eea73da
\r\nUpdate changelog64e4eb3
\r\nMerge pull request from GHSA-7c6p-848j-wh5h7442981
\r\nAdd flag alias to docs7a6bb18
\r\nAdds a test for no dev (#11833)67d80e1
\r\nFix php7.2df8f9f0
\r\nUpdate tests754f286
\r\nAdd non-zero return codes when why-not finds a reason a package is not\r\ninstal...7cb92a9
\r\nIntroduce COMPOSER_AUDIT_ABANDONED env var (#11794)e0807d3
\r\nDiagnose command: Add GitHub OAuth token expiration date information (#11688)