[SECURITY] Update composer/composer from 2.6.4 to 2.7.1 #470
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If you have a high test coverage index, and your tests for this pull request are passing, it should be both safe and recommended to merge this update.
Updated packages
Some times an update also needs new or updated dependencies to be installed. Even if this branch is for updating one dependency, it might contain other installs or updates. All of the updates in this branch can be found here:
Release notes
Here are the release notes for all versions released between your current running version, and the version this PR updates the package to.
List of release notes
Changed files
Here is a list of changed files between the version you use, and the version this pull request updates to:
List of changed files
Changelog
Here is a list of changes between the version you use, and the version this pull request updates to:
Release 2.7.1Update changelogMakes note appear in a note section. (#11844)Also output root plugin warning after script execution errorsRepositories docs reference (#11840)Output more warnings about plugins being disabled to hint that it may cause problems, fixes #11839 (#11842)Update plugins api version in docsFix diagnose auditing of composer dependencies in phar filesReverting release version changesRelease 2.7.0Update changelogMerge pull request from GHSA-7c6p-848j-wh5hAdd flag alias to docsAdds a test for no dev (#11833)Fix php7.2Update testsAdd non-zero return codes when why-not finds a reason a package is not installable, or when why finds no reason it is there, fixes #11796Introduce COMPOSER_AUDIT_ABANDONED env var (#11794)Diagnose command: Add GitHub OAuth token expiration date information (#11688)Update jsonlinttest: Covers audit of pkg with no sec advisories (#11789)Fix root aliases causing problems when auditing locked dependencies, fixes #11771Add more details to event debug output, refs #11818Add arguments to command call output (#11826)Update deps, fixes #11801Bump actions/cache from 3 to 4 (#11807)chore(doc): add_commentdocumentation insidecomposer.jsonschema (#11825)Do not show error that plugins have been disabled when they are already disabled (#11803)ValidatingArrayLoader: fix link validation with missing name (#11830)Add support for wildcards in outdated's --ignore arg, fixes #11831issue #11811 auth token links on separate lines (#11812)Fix require command crashing at the end if no lock file is present, fixes #11814Update require docs, fixes #11823Add detection of constraints which do not match anything in validate command, fixes #11802 (#11829)Update plugin documentation (#11813)Merge branch '2.6'Fix automatic disabling of plugins when running non-interactive as rootMerge branch '2.6'Fix type errorMerge branch '2.6'Only include installed versions class when plugins and scripts are allowed, as it is not needed otherwiseEmit warning instead of crashing on invalid security advisory API response, fixes #11767Ensure repos declaring security-advisories have at least an API or a restricted set of packages to avoid too many wasteful requestsAdd IPv4 fallback on connection timeout, and adds COMPOSER_IPRESOLVE env var (#11791)Merge remote-tracking branch 'origin/2.6'Ensure we respect available-package-patterns and available-packages directives when fetching security advisories, fixes #11704 (#11773)Add error when composer show --direct <transient-dependency> is used to show a dependency which is not direct, fixes #11728:facepalm:Only override ist url if it is not handled gracefully alreadyFix buildEnsure dist url/type/checksum remain the same when doing lock hash updates, refs #11787Sync up docs from command, fixes #11787Update 01-basic-usage.md (#11788)Merge branch '2.6'Update depsAdd COMPOSER_FUND=0 env var to disable calls for funding (#11779)Fix support for versions with 4 components in VersionSelector, fixes #11716Fix warnings incorrectly being shown when using require with upper bound ignored on platform requirements, fixes #11722 (#11786)Add support for combining show --self with --installed or --locked (#11785)Adds a test for invalid arg combo (#11783)[11744] handle missing hyphen when attempting to run self-update… (#11775)Fix PackageInterface parameter comments (#11777)Perform audit on Composer and its dependencies during diagnose, fixes #11216 (#11761)Check for non-platform requirements before warning that no deps are installed on show command, fixes #11760Exposing GitLab's project metadata (#11734)Fix typo in composer-platform-dependencies.md (#11757)Add --sort-by-age to show/outdated commands, and also release date for latest package in --latest mode (#11762)Fix minor error msg issueAudit: add severity to plain and table output (#11702)Show package source in very verbose updates, fixes #11733 (#11763)Fix bump command not bumping versions with a v prefix e.g. ^v2.4, fixes #11723 (#11764)Update baselineEnsure composer.json gets deleted after a dry run require, fixes #11747Make wildcard path repos more visible in docs, fixes #11732Bump actions/stale from 8 to 9 (#11753)Switch default audit.abandoned to fail for 2.7 releaseUpdate baseline (1681, 92)Merge branch '2.6'Update depsMerge branch '2.6'Reverting release version changesRelease 2.6.6Update changelogAdds a test for UpdateCommand (#11724)Bump actions/github-script from 6 to 7 (#11718)GH Actions: update the CI workflow for the release of PHP 8.3 (#11726)Update 01-basic-usage.md (#11729)"URL" in caps (#11706)Add support for "scripts-aliases" in composer.json (#11666)Merge branch '2.6'Update lock hashDisplay error instead of throwing exception when unable to update with temporary constraint (#11692)Fix build on 2.6Suggest running 'require' not 'update' if a root req fails to update (#11691)Fix Git Driver to use supported Git VCS driver URLAdd --minimal-changes mode to perform partial updates --with-dependencies while changing only what is necessary in other dependencies (#11665)Bump wildcard constraints to >=current (#11694)Fix lock fileBump dev version to 2.7, fix issues with symfony 7Update depsUse global constant if available for libpq version (#11684)10796 Increase coverage of ShowCommand (#11677)Reverting release version changesRelease 2.6.5Update changelogchore: removecomposer.lockfrom.gitattributes(#11674)Fix error when vendor dir contains broken symlinks (#11670)Fix autoload generator dump() non-BC signature change in 2.6.4Reverting release version changesThis is an automated pull request from Violinist: Continuously and automatically monitor and update your composer dependencies. Have ideas on how to improve this message? All violinist messages are open-source, and can be improved here.