[SECURITY] Update composer/composer from 2.6.4 to 2.7.1 #470
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If you have a high test coverage index, and your tests for this pull request are passing, it should be both safe and recommended to merge this update.
Updated packages
Some times an update also needs new or updated dependencies to be installed. Even if this branch is for updating one dependency, it might contain other installs or updates. All of the updates in this branch can be found here:
Release notes
Here are the release notes for all versions released between your current running version, and the version this PR updates the package to.
List of release notes
Changed files
Here is a list of changed files between the version you use, and the version this pull request updates to:
List of changed files
Changelog
Here is a list of changes between the version you use, and the version this pull request updates to:
Release 2.7.1
Update changelog
Makes note appear in a note section. (#11844)
Also output root plugin warning after script execution errors
Repositories docs reference (#11840)
Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 (#11842)
Update plugins api version in docs
Fix diagnose auditing of composer dependencies in phar files
Reverting release version changes
Release 2.7.0
Update changelog
Merge pull request from GHSA-7c6p-848j-wh5h
Add flag alias to docs
Adds a test for no dev (#11833)
Fix php7.2
Update tests
Add non-zero return codes when why-not finds a reason a package is not installable, or when why finds no reason it is there, fixes #11796
Introduce COMPOSER_AUDIT_ABANDONED env var (#11794)
Diagnose command: Add GitHub OAuth token expiration date information (#11688)
Update jsonlint
test: Covers audit of pkg with no sec advisories (#11789)
Fix root aliases causing problems when auditing locked dependencies, fixes #11771
Add more details to event debug output, refs #11818
Add arguments to command call output (#11826)
Update deps, fixes #11801
Bump actions/cache from 3 to 4 (#11807)
chore(doc): add
_commentdocumentation inside
composer.jsonschema (#11825)
Do not show error that plugins have been disabled when they are already disabled (#11803)
ValidatingArrayLoader: fix link validation with missing name (#11830)
Add support for wildcards in outdated's --ignore arg, fixes #11831
issue #11811 auth token links on separate lines (#11812)
Fix require command crashing at the end if no lock file is present, fixes #11814
Update require docs, fixes #11823
Add detection of constraints which do not match anything in validate command, fixes #11802 (#11829)
Update plugin documentation (#11813)
Merge branch '2.6'
Fix automatic disabling of plugins when running non-interactive as root
Merge branch '2.6'
Fix type error
Merge branch '2.6'
Only include installed versions class when plugins and scripts are allowed, as it is not needed otherwise
Emit warning instead of crashing on invalid security advisory API response, fixes #11767
Ensure repos declaring security-advisories have at least an API or a restricted set of packages to avoid too many wasteful requests
Add IPv4 fallback on connection timeout, and adds COMPOSER_IPRESOLVE env var (#11791)
Merge remote-tracking branch 'origin/2.6'
Ensure we respect available-package-patterns and available-packages directives when fetching security advisories, fixes #11704 (#11773)
Add error when composer show --direct <transient-dependency> is used to show a dependency which is not direct, fixes #11728
:facepalm:
Only override ist url if it is not handled gracefully already
Fix build
Ensure dist url/type/checksum remain the same when doing lock hash updates, refs #11787
Sync up docs from command, fixes #11787
Update 01-basic-usage.md (#11788)
Merge branch '2.6'
Update deps
Add COMPOSER_FUND=0 env var to disable calls for funding (#11779)
Fix support for versions with 4 components in VersionSelector, fixes #11716
Fix warnings incorrectly being shown when using require with upper bound ignored on platform requirements, fixes #11722 (#11786)
Add support for combining show --self with --installed or --locked (#11785)
Adds a test for invalid arg combo (#11783)
[11744] handle missing hyphen when attempting to run self-update… (#11775)
Fix PackageInterface parameter comments (#11777)
Perform audit on Composer and its dependencies during diagnose, fixes #11216 (#11761)
Check for non-platform requirements before warning that no deps are installed on show command, fixes #11760
Exposing GitLab's project metadata (#11734)
Fix typo in composer-platform-dependencies.md (#11757)
Add --sort-by-age to show/outdated commands, and also release date for latest package in --latest mode (#11762)
Fix minor error msg issue
Audit: add severity to plain and table output (#11702)
Show package source in very verbose updates, fixes #11733 (#11763)
Fix bump command not bumping versions with a v prefix e.g. ^v2.4, fixes #11723 (#11764)
Update baseline
Ensure composer.json gets deleted after a dry run require, fixes #11747
Make wildcard path repos more visible in docs, fixes #11732
Bump actions/stale from 8 to 9 (#11753)
Switch default audit.abandoned to fail for 2.7 release
Update baseline (1681, 92)
Merge branch '2.6'
Update deps
Merge branch '2.6'
Reverting release version changes
Release 2.6.6
Update changelog
Adds a test for UpdateCommand (#11724)
Bump actions/github-script from 6 to 7 (#11718)
GH Actions: update the CI workflow for the release of PHP 8.3 (#11726)
Update 01-basic-usage.md (#11729)
"URL" in caps (#11706)
Add support for "scripts-aliases" in composer.json (#11666)
Merge branch '2.6'
Update lock hash
Display error instead of throwing exception when unable to update with temporary constraint (#11692)
Fix build on 2.6
Suggest running 'require' not 'update' if a root req fails to update (#11691)
Fix Git Driver to use supported Git VCS driver URL
Add --minimal-changes mode to perform partial updates --with-dependencies while changing only what is necessary in other dependencies (#11665)
Bump wildcard constraints to >=current (#11694)
Fix lock file
Bump dev version to 2.7, fix issues with symfony 7
Update deps
Use global constant if available for libpq version (#11684)
10796 Increase coverage of ShowCommand (#11677)
Reverting release version changes
Release 2.6.5
Update changelog
chore: remove
composer.lockfrom
.gitattributes(#11674)
Fix error when vendor dir contains broken symlinks (#11670)
Fix autoload generator dump() non-BC signature change in 2.6.4
Reverting release version changes
This is an automated pull request from Violinist: Continuously and automatically monitor and update your composer dependencies. Have ideas on how to improve this message? All violinist messages are open-source, and can be improved here.