Revisions of php-composer2
Ana Guerrero (anag+factory)
accepted
request 1149085
from
Petr Gajdos (pgajdos)
(revision 26)
- Updated composer2.phar to match upstreams sha256 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0 (forwarded request 1148935 from comrad)
Ana Guerrero (anag+factory)
accepted
request 1146367
from
Petr Gajdos (pgajdos)
(revision 25)
- version update to 2.7.1 [bsc#1219757] CVE-2024-24821 2.7.1 * Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842) * Fixed diagnose auditing of Composer dependencies failing when running from the phar 2.7.0 * Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821) * Changed the default of the audit.abandoned config setting to fail, set it to report or ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643) * Added --minimal-changes (-m) flag to update/require/remove commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#11665) * Added --sort-by-age (-A) flag to outdated/show commands to allow sorting by and displaying the release date (most outdated first) (#11762) * Added support for --self combined with --installed or --locked in show command, to add the root package to the package list being output (#11785) * Added severity information to audit command output (#11702) * Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666) * Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force IPv4 or IPv6, set it to 4 or 6 (#11791) * Added support for wildcards in outdated's --ignore arg (#11831) * Added support for bump command bumping * to >=current version (#11694) * Added detection of constraints that cannot possibly match anything to validate command (#11829) * Added package source information to the output of install when running in very verbose (-vv) mode (#11763) * Added audit of Composer's own bundled dependencies in diagnose command (#11761) * Added GitHub token expiration date to diagnose command output (#11688) * Added non-zero status code to why/why-not commands (#11796) * Added error when calling show --direct <package> with an indirect/transitive dependency (#11728) * Added COMPOSER_FUND=0 env var to hide calls for funding (#11779) * Fixed bump command not bumping packages required with a v prefix (#11764)
Ana Guerrero (anag+factory)
accepted
request 1117489
from
Petr Gajdos (pgajdos)
(revision 24)
Updates php-composer to version 2.6.5. (forwarded request 1117487 from Ishwon)
Ana Guerrero (anag+factory)
accepted
request 1114950
from
Petr Gajdos (pgajdos)
(revision 23)
- version update to 2.6.4 * 2.6.4 2023-09-29 [bsc#1215859] - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655) - Fixed json output of abandoned packages in audit command (#11647) - Performance improvement in pool optimization step (#11638) - Performance improvement in show -a <packagename> (#11659) * 2.6.3 2023-09-15 - Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future default in 2.7) to make the audit command report abandoned packages as a security problem (#11639) - Added a warning when duplicates files autoload rules are detected (#11109) - Fixed unhandled promise rejection regression (#11620) - Fixed loading of root aliases on path repo packages when doing partial updates (#11632) - Fixed archive command not producing the correct output if the temp dir is a symlink (#11636) - Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629) * 2.6.2 2023-09-03 - Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them, they are now more transparent (#11562)" which caused a regression (#11617) - Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit audits with require, create-project or update commands (#11616) - Fixed create-project infinite post-install loop in some circumstances (#11613) * 2.6.1 2023-09-01 - Reverted "Fixed executability of non-php binaries which are not marked executable (#11557)" which caused a regression (#11612) * 2.6.0 2023-09-01 - Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605) - Added rm alias to the remove command (#11367) - Added runtime platform check to verify the php-64bit requirement is met (#11334) - Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418) - Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying (forwarded request 1114790 from pgajdos)
Ana Guerrero (anag+factory)
accepted
request 1112968
from
Petr Gajdos (pgajdos)
(revision 22)
* [bsc#1198494]
Ana Guerrero (anag+factory)
accepted
request 1105263
from
Petr Gajdos (pgajdos)
(revision 21)
- Update to version 2.5.8 * Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495) * Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490) * Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492) * Fixed type declarations on ClassLoader (#11500) - Update to version 2.5.7 * Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481) - Update to version 2.5.6 * BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455) * Fixed metapackages showing their install path as the root package's path instead of empty (#11455) * Fixed lock file verification on install to deal better with replace/provide (#11475) * Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405) * Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08) * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454) * Fixed support for plugin classes being marked as readonly (#11404) * Fixed getmypid being required as it is not always available (#11401) * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464) (forwarded request 1101051 from Ishwon)
Dominique Leuenberger (dimstar_suse)
accepted
request 1075002
from
Factory Maintainer (factory-maintainer)
(revision 20)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1067188
from
Factory Maintainer (factory-maintainer)
(revision 19)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1064394
from
Factory Maintainer (factory-maintainer)
(revision 18)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1045982
from
Factory Maintainer (factory-maintainer)
(revision 17)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 1033851
from
Yunhe Guo (guoyunhe)
(revision 16)
- Update to version 2.4.4 * Added extra debug output when a zip extraction fails while on GitHub Actions (#11148) * Fixed cache write failures when the cache dir gets removed during a composer run (#11076) * Fixed 2.4.3 regression in loading Composer on SMB/network shares (#11077) * Fixed --dry-run flag missing from bump command (#11047) * Fixed status command reporting differences when the source ref is a tag (#11155) * Fixed outdated command outputting legend on stdout instead of stderr * Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137) - Update to version 2.4.3 * BC Break: The json format of audit command now has reportedAt as an RFC3339 string instead of an object which was a mistake (#11120) * Fixed json format of audit command which was missing affectedVersions (#11120) * Fixed plugin commands not being loaded during bash completions (#11074) * Fixed parsing of inline aliases within complex constraints with || or , (#11086) * Fixed min-php version check in autoload.php to avoid crashing sites running on PHP 5.5 or below silently with a 200 (#11091) * Fixed JsonFile reading files without checking if they are readable first (#11077) * Fixed require command with --dry-run failing when requiring a package requiring stability flag extraction (#11112)
Dominique Leuenberger (dimstar_suse)
accepted
request 1007510
from
Factory Maintainer (factory-maintainer)
(revision 15)
Automatic submission by obs-autosubmit
Richard Brown (RBrownFactory)
accepted
request 990767
from
Factory Maintainer (factory-maintainer)
(revision 14)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 986327
from
Yunhe Guo (guoyunhe)
(revision 13)
- Update to version 2.3.8 * Fixed support for cache-read-only where the filesystem is not writable (#10906) * Fixed type error when using allow-plugins: true (#10909) * Fixed @putenv scripts receiving arguments passed to the command (#10846) * Fixed support for spaces in paths with binary proxies on Windows (#10836) * Fixed type error in GitDownloader if branches cannot be listed (#10888) * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895) * Fixed type errors (#10904, #10897)
Dominique Leuenberger (dimstar_suse)
accepted
request 983561
from
Factory Maintainer (factory-maintainer)
(revision 12)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 981493
from
Илья Индиго (13ilya)
(revision 11)
- Update to version 2.3.6 * Added Composer\PHPStan\ConfigReturnTypeExtension to improve return types of Config::get() which you can also use in plugins CI (#10635) * Fixed name validation regex in schema causing issues with JS IDEs like VS Code (#10811) * Fixed unnecessary HTTP request in BitbucketDriver (#10729) * Fixed invalid credentials loop when setting up GitLab token (#10748) * Fixed PHP 8.2 deprecations (#10766) * Fixed lock file changes being output even when the lock file creation is disabled * Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763) * Fixed quoting of commas on Windows (#10775) * Fixed issue installing path repos with a disabled symlink function (#10786) * Fixed various type errors (#10753, #10739, #10751)
Dominique Leuenberger (dimstar_suse)
accepted
request 975329
from
Petr Gajdos (pgajdos)
(revision 10)
Update to version 2.3.5 for CVE-2022-24828 (forwarded request 975231 from susnux)
Dominique Leuenberger (dimstar_suse)
accepted
request 968123
from
Factory Maintainer (factory-maintainer)
(revision 9)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 957971
from
Petr Gajdos (pgajdos)
(revision 8)
- Update to version 2.2.7 * Fixed support for packages with no licenses in licenses command output * Fixed handling of allow-plugins: false which kept warning * Fixed enum parsing in classmap generation when the enum keyword is not lowercased * Fixed author parsing in init command requiring an email whereas the schema allows a name only * Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) * Performance improvement in pool optimization step (forwarded request 957604 from susnux)
Dominique Leuenberger (dimstar_suse)
accepted
request 957682
from
Factory Maintainer (factory-maintainer)
(revision 7)
Automatic submission by obs-autosubmit
Displaying revisions 1 - 20 of 26