2.5.6

• BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
• Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
• Fixed lock file verification on install to deal better with replace/provide (#11475)
• Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
• Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755)
• Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
• Fixed support for plugin classes being marked as readonly (#11404)
• Fixed getmypid being required as it is not always available (#11401)
• Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)

2.5.5

• Fixed basic auth failures resulting in infinite retry loop (#11320)
• Fixed GitHub rate limit reporting (#11366)
• Fixed InstalledVersions error in Composer 1 compatibility edge case (#11304)
• Fixed issue displaying solver problems with branch names containing % signs (#11359)
• Fixed race condition in cache validity detection when running Composer highly concurrently (#11375)
• Fixed various minor config command issues (#11353, #11302)

2.5.4

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11318)

2.2.21

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)

2.5.3

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#11315)

2.2.20

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#11315)

2.5.2

• Added warning when require auto-selects a feature branch as that is probably not desired (#11270)
• Fixed self.version requirements reporting lock file integrity errors when changing branches (#11283)
• Fixed require regression which broke the --fixed flag (#11247)
• Fixed security audit reports loading when exclude/only filter rules are used on a repository (#11281)
• Fixed autoloading regression on PHP 5.6 (#11285)
• Fixed archive command including an existing archive into itself if run repeatedly (#11239)
• Fixed dev package prompt in require not appearing in some conditions (#11287)

2.2.19

• Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)
• Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)
• Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)
• Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0

2.5.1

• Fixed ClassLoader regression which made it fail if serialized (e.g. within PHPUnit process isolation) (#11237)
• Fixed preg type error in svn version guessing (#11231)

2.5.0

• BC Warning: To prevent abuse of our includeFile() function it is now gone, it was not part of the official API but may still cause issues if some code incorrectly relied on it (#11015)
• Improved version guessing of require command to use the dependency resolution result instead of using the latest available version (except if you run with --no-update) (#11160)
• Improved version selection in archive command (#11230)
• Added hard failure when installing from a lock file which does not satisfy the composer.json requirements (#11195)
• Added autocompletion of config option names in the config command (#11130)
• Added support for writing custom commands as Command classes (#11151)
• Added warning when the outdated command rejects a new package due to unmet platform requirements (#11113)
• Added support for bump command to bump >=x to >=installed-version (#11179)
• Added --download-only flag to install command to only download and prime the cache with the package archives (#11041)
• Added autoconfiguration of github-domains/gitlab-domains when GitHub/GitLab credentials are configured for a custom domain (#11062)
• Added hard failure (throw) if COMPOSER_AUTH is present and malformed JSON (#11085)
• Added interactive prompt to run-script and exec commands if run without any argument (#11157)
• Added interactive prompt where to store credentials when a project-local auth.json exists (#11188)
• Fixed full disk warning to be shown when less than 100MiB is available (#11190)
• Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)
• Fixed docker compatibility by making paths more portable even if the project is installed at / (#11169)