2.2.0

Read the Composer 2.2 Release Announcement for more details on the release highlights.

Complete Changelog

• Bumped composer-runtime-api and composer-plugin-api to 2.2.0
• UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
• Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
• Added a global $_composer_autoload_path variable containing the path to autoload.php for binaries (#10137)
• Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
• Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
• Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
• Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
• Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
• Added a --source flag to config command to show where config values are loaded from (#10129)
• Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
• Added retry behavior on certain http status and curl error codes (#10162)
• Added abandoned flag display in search command output
• Added support for --ignore-platform-reqs in outdated command (#10293)
• Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
• Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
• Added support for using dev-main as the default path repo package version if no VCS info is available (#10372)
• Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#10371)
• Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
• Fixed unlocking of replacers when a replaced package is unlocked (#10280)
• Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
• Fixed handling of recursive package links (e.g. requiring or replacing oneself)
• Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
• Fixed archive command to produce archives with files sorted by name (#10274)
• Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
• Fixed self-update failing in some edge cases due to loading plugins (#10371)
• Fixed display of conflicts showing the wrong package name in some conditions (#10355)
• Fixed some error reporting issues (#10283, #10339)

1.10.24

• Added v1 deprecation warning when running install. Please make sure you upgrade to Composer 2, see https://blog.packagist.com/deprecating-composer-1-support/
• Fixed PHP 8.1 compatibility
• Fixed some more Windows CLI parameter escaping edge cases

2.2.0-RC1

Composer 2.2 will be LTS

Read more about the LTS plan and PHP version support in the upcoming Composer 2.3 if you're using a legacy PHP version.

Try it out now and get ready for the upcoming stable release

• Use composer self-update --preview to try the latest prerelease version.
• Use composer self-update --stable to go back to stable releases.

Changelog

• Bumped composer-runtime-api and composer-plugin-api to 2.2.0
• UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
• Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
• Added a global $_composer_autoload_path variable containing the path to autoload.php for binaries (#10137)
• Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
• Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
• Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
• Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
• Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
• Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
• Added a --source flag to config command to show where config values are loaded from (#10129)
• Added retry behavior on certain http status and curl error codes (#10162)
• Added abandoned flag display in search command output
• Added support for --ignore-platform-reqs in outdated command (#10293)
• Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
• Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
• Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
• Fixed unlocking of replacers when a replaced package is unlocked (#10280)
• Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
• Fixed handling of recursive package links (e.g. requiring or replacing oneself)
• Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
• Fixed archive command to produce archives with files sorted by name (#10274)
• Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
• Fixed some error reporting issues (#10283, #10339)

2.1.14

• Fixed invalid release build (2.1.13 was deleted as invalid)
• Removed symfony/console ^6 support as we cannot be compatible until Composer 2.3.0 is released. If you have issues with Composer required as a dependency + Symfony make sure you stay on Symfony 5.4 for now. (#10321)

2.1.12

• Fixed issues in proxied binary files relying on __FILE__ / __DIR__ on php <8 (#10261)
• Fixed 9999999-dev being shown in some cases by the show command (#10260)
• Fixed GitHub Actions output escaping regression on PHP 8.1 (#10250)

2.1.11

• Fixed issues in proxied binary files when using declare() on php <8 (#10249)
• Fixed GitHub Actions output escaping issues (#10243)

2.1.10

• Added type annotations to all classes, which may have an effect on CI/static analysis for people using Composer as a dependency (#10159)
• Fixed CurlDownloader requesting gzip encoding even when no gzip support is present (#10153)
• Fixed regression in 2.1.6 where the help command was not working for plugin commands (#10147)
• Fixed warning showing when an invalid cache dir is configured but unused (#10125)
• Fixed require command reverting changes even though dependency resolution succeeded when something fails in scripts for example (#10118)
• Fixed require not finding the right package version when some newly required extension is missing from the system (#10167)
• Fixed proxied binary file issues, now using output buffering (e1dbd65)
• Fixed and improved error reporting in several edge cases (#9804, #10136, #10163, #10224, #10209)
• Fixed some more Windows CLI parameter escaping edge cases

2.1.9

• Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)
• Fixed classmap parsing with a new class parser which does not rely on regexes anymore (#10107)
• Fixed inline git credentials showing up in output in some conditions (#10115)
• Fixed support for running updates while offline as long as the cache contains enough information (#10116)
• Fixed show --all foo/bar which as of 2.0.0 was not showing all versions anymore but only the installed one (#10095)
• Fixed VCS repos ignoring some versions silently when the API rate limit is reached (#10132)
• Fixed CA bundle to remove the expired Let's Encrypt root CA

1.10.23

• Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)

2.1.8

• Fixed regression in 2.1.7 when parsing classmaps in files containing invalid Unicode (#10102)