packagist composer/composer 2.10.0
on PHP Packagist

5 hours ago

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
  • Fixed warning being shown when lock file is disabled (#12760)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

Full Changelog: 2.9.8...2.10.0

Check out latest releases or
releases around composer/composer 2.10.0

Don't miss a new composer release

NewReleases is sending notifications on new releases.

Get notifications