- Updated composer2.phar to match upstreams sha256 1ffd0be3f27e237b1ae47f9e8f29f96ac7f50a0bd9eef4f88cdbe94dd04bfff0 (forwarded request 1148935 from comrad)

• Files Changed
• Browse Source

- version update to 2.7.1 [bsc#1219757] CVE-2024-24821
  2.7.1
  * Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842)
  *  Fixed diagnose auditing of Composer dependencies failing when running from the phar
  2.7.0
  * Security: Fixed code execution and possible privilege escalation via compromised
    vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
  * Changed the default of the audit.abandoned config setting to fail, set it to report or
    ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
  * Added --minimal-changes (-m) flag to update/require/remove commands to perform
    partial update with --with-dependencies while changing only what is absolutely
    necessary in transitive dependencies (#11665)
  * Added --sort-by-age (-A) flag to outdated/show commands to allow
     sorting by and displaying the release date (most outdated first) (#11762)
  * Added support for --self combined with --installed or --locked in show command, to
    add the root package to the package list being output (#11785)
  * Added severity information to audit command output (#11702)
  * Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
  * Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force
    IPv4 or IPv6, set it to 4 or 6 (#11791)
  * Added support for wildcards in outdated's --ignore arg (#11831)
  * Added support for bump command bumping * to >=current version (#11694)
  * Added detection of constraints that cannot possibly match anything to validate command (#11829)
  * Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
  * Added audit of Composer's own bundled dependencies in diagnose command (#11761)
  * Added GitHub token expiration date to diagnose command output (#11688)
  * Added non-zero status code to why/why-not commands (#11796)
  * Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
  * Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
  * Fixed bump command not bumping packages required with a v prefix (#11764)

• Files Changed
• Browse Source

Updates php-composer to version 2.6.5. (forwarded request 1117487 from Ishwon)

• Files Changed
• Browse Source

- version update to 2.6.4
  * 2.6.4 2023-09-29 [bsc#1215859]
    - Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible,
      executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
    - Fixed json output of abandoned packages in audit command (#11647)
    - Performance improvement in pool optimization step (#11638)
    - Performance improvement in show -a <packagename> (#11659)
  * 2.6.3 2023-09-15
    - Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future
      default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
    - Added a warning when duplicates files autoload rules are detected (#11109)
    - Fixed unhandled promise rejection regression (#11620)
    - Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
    - Fixed archive command not producing the correct output if the temp dir is a symlink (#11636)
    - Fixed some replaced packages being incorrectly missing when unlocked in a partial update (#11629)
  * 2.6.2 2023-09-03
    - Reverted "Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them,
      they are now more transparent (#11562)" which caused a regression (#11617)
    - Fixed non-zero exit code on failed audits to only apply to install --audit runs and not implicit
      audits with require, create-project or update commands (#11616)
    - Fixed create-project infinite post-install loop in some circumstances (#11613)
  * 2.6.1 2023-09-01
    - Reverted "Fixed executability of non-php binaries which are not marked executable (#11557)" which
      caused a regression (#11612)
  * 2.6.0 2023-09-01
    - Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
    - Added rm alias to the remove command (#11367)
    - Added runtime platform check to verify the php-64bit requirement is met (#11334)
    - Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
    - Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying (forwarded request 1114790 from pgajdos)

• Files Changed
• Browse Source

  * [bsc#1198494]

• Files Changed
• Browse Source

- Update to version 2.5.8
  * Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
  * Fixed EventDispatcher on windows picking bat files when using "@php binary" (#11490)
  * Fixed ICU CLDR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
  * Fixed type declarations on ClassLoader (#11500)
- Update to version 2.5.7
  * Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)
- Update to version 2.5.6
  * BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
  * Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
  * Fixed lock file verification on install to deal better with replace/provide (#11475)
  * Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
  * Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755a08)
  * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
  * Fixed support for plugin classes being marked as readonly (#11404)
  * Fixed getmypid being required as it is not always available (#11401)
  * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464) (forwarded request 1101051 from Ishwon)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.4.4
  * Added extra debug output when a zip extraction fails while on
    GitHub Actions (#11148)
  * Fixed cache write failures when the cache dir gets removed during
    a composer run (#11076)
  * Fixed 2.4.3 regression in loading Composer on SMB/network shares
    (#11077)
  * Fixed --dry-run flag missing from bump command (#11047)
  * Fixed status command reporting differences when the source ref is
    a tag (#11155)
  * Fixed outdated command outputting legend on stdout instead of stderr
  * Fixed URL sanitizer to handle new GitHub personal access tokens
    format (#11137)
- Update to version 2.4.3
  * BC Break: The json format of audit command now has reportedAt as an
    RFC3339 string instead of an object which was a mistake (#11120)
  * Fixed json format of audit command which was missing affectedVersions
    (#11120)
  * Fixed plugin commands not being loaded during bash completions
    (#11074)
  * Fixed parsing of inline aliases within complex constraints with
    || or , (#11086)
  * Fixed min-php version check in autoload.php to avoid crashing sites
    running on PHP 5.5 or below silently with a 200 (#11091)
  * Fixed JsonFile reading files without checking if they are readable
    first (#11077)
  * Fixed require command with --dry-run failing when requiring a package
    requiring stability flag extraction (#11112)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.3.8
  * Fixed support for cache-read-only where the filesystem is not writable (#10906)
  * Fixed type error when using allow-plugins: true (#10909)
  * Fixed @putenv scripts receiving arguments passed to the command (#10846)
  * Fixed support for spaces in paths with binary proxies on Windows (#10836)
  * Fixed type error in GitDownloader if branches cannot be listed (#10888)
  * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
  * Fixed type errors (#10904, #10897)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.3.6
  * Added Composer\PHPStan\ConfigReturnTypeExtension to improve return
    types of Config::get() which you can also use in plugins CI (#10635)
  * Fixed name validation regex in schema causing issues with JS IDEs
    like VS Code (#10811)
  * Fixed unnecessary HTTP request in BitbucketDriver (#10729)
  * Fixed invalid credentials loop when setting up GitLab token (#10748)
  * Fixed PHP 8.2 deprecations (#10766)
  * Fixed lock file changes being output even when the lock file creation
    is disabled
  * Fixed race condition when multiple requests asking for auth on the
    same hostname fired concurrently (#10763)
  * Fixed quoting of commas on Windows (#10775)
  * Fixed issue installing path repos with a disabled symlink function
    (#10786)
  * Fixed various type errors (#10753, #10739, #10751)

• Files Changed
• Browse Source

Update to version 2.3.5 for CVE-2022-24828 (forwarded request 975231 from susnux)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 2.2.7
  * Fixed support for packages with no licenses in licenses
    command output
  * Fixed handling of allow-plugins: false which kept warning
  * Fixed enum parsing in classmap generation when the enum keyword
    is not lowercased
  * Fixed author parsing in init command requiring an email whereas
    the schema allows a name only
  * Fixed issues in require command when requiring packages which
    do not exist (but are provided by something else you require)
  * Performance improvement in pool optimization step (forwarded request 957604 from susnux)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source