Skip to content

chore(deps): bump composer/composer from 2.9.8 to 2.10.2#6920

Open
dependabot[bot] wants to merge 1 commit into
4.4from
dependabot/composer/composer/composer-2.10.2
Open

chore(deps): bump composer/composer from 2.9.8 to 2.10.2#6920
dependabot[bot] wants to merge 1 commit into
4.4from
dependabot/composer/composer/composer-2.10.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bumps composer/composer from 2.9.8 to 2.10.2.

Release notes

Sourced from composer/composer's releases.

2.10.2

  • Security: Validate package names (GHSA-499r-g7pc-vmp9 / CVE-2026-59948)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx / CVE-2026-59946)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3 / CVE-2026-59947)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

Full Changelog: composer/composer@2.10.1...2.10.2

2.10.1

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Full Changelog: composer/composer@2.10.0...2.10.1

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
  • Added --strict-psr-autoloader flag to install and update commands (#12647)
  • Added source-fallback config option to disable or enable source fallback on download failure (#12698)
  • Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
  • Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
  • Optimized PoolOptimizer memory usage (#12783)
  • Optimized classmap dumping performance
  • Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
  • Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.2] 2026-07-01

  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)

[2.10.1] 2026-06-04

  • Security: Fixed shell escaping when opening an editor (#12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#12907)

[2.10.0] 2026-05-28

  • BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
  • Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

  • Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
  • Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
  • Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
  • Enabled blocking of malware packages at install time by default
  • Fixed --no-plugins handling regression (#12789)
  • Fixed regression in startup performance when many scripts are defined (#12832)
  • Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

  • Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
  • Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)

... (truncated)

Commits
  • 8d4439f Release 2.10.2
  • 79d92f0 Update changelog
  • 8887ad7 Merge commit from fork
  • 502c6c4 Merge commit from fork
  • 145e74d Update deps
  • e42b4f1 Retry downloads failing with HTTP 400 on a fresh connection (#12962)
  • 8c3eba8 Add basic command level telemetry (#12952)
  • c5f92a0 Bump actions/checkout from 6.0.3 to 7.0.0 (#12949)
  • b7c4e39 Sanitize JSON parse errors in Http\Response to avoid leaking response bodies ...
  • 6665153 Add VersionsTest for self update behavior
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Jul 12, 2026
@dependabot dependabot Bot changed the title chore(deps): bump composer/composer from 2.9.8 to 2.10.2 chore(deps): Bump composer/composer from 2.9.8 to 2.10.2 Jul 15, 2026
@dependabot
dependabot Bot force-pushed the dependabot/composer/composer/composer-2.10.2 branch from 05f0706 to 6278ccb Compare July 15, 2026 07:16
Bumps [composer/composer](https://github.com/composer/composer) from 2.9.8 to 2.10.2.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.9.8...2.10.2)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.10.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): Bump composer/composer from 2.9.8 to 2.10.2 chore(deps): bump composer/composer from 2.9.8 to 2.10.2 Jul 16, 2026
@dependabot
dependabot Bot force-pushed the dependabot/composer/composer/composer-2.10.2 branch from 6278ccb to 50f4216 Compare July 16, 2026 02:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update Php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants