2.4.0

Read the Composer 2.4 Release Announcement for more details on the release highlights.

Complete Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added json format output to the check-platform-reqs command (#10979)
• Added GitLab 15+ token refresh support (#10988)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)

2.4.0-RC1

Composer 2.4 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.4.0-RC1
• Running composer self-update --stable will get you back on the latest 2.3 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.4 RC and please include stack traces & repro details.

Full Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)

2.3.10

PSA: If you are seeing issues running non-interactive create-project with a project that does not configure allow-plugins, see the top post of #10928 for a workaround.

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
• Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
• Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
• Fixed support for disable_functions containing disk_free_space (#10936)
• Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)

2.2.17

PSA: If you are seeing issues running non-interactive create-project with a project that does not configure allow-plugins, see the top post of #10928 for a workaround.

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
• Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
• Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
• Fixed support for disable_functions containing disk_free_space (#10936)
• Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)

2.3.9

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
• Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
• Fixed deprecation notice (#10921)
• Fixed type errors (#10924)

2.2.16

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
• Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
• Fixed deprecation notice (#10921)

2.3.8

• Fixed support for cache-read-only where the filesystem is not writable (#10906)
• Fixed type error when using allow-plugins: true (#10909)
• Fixed @putenv scripts receiving arguments passed to the command (#10846)
• Fixed support for spaces in paths with binary proxies on Windows (#10836)
• Fixed type error in GitDownloader if branches cannot be listed (#10888)
• Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
• Fixed type errors (#10904, #10897)

2.2.15

• Fixed support for cache-read-only where the filesystem is not writable (#10906)
• Fixed type error when using allow-plugins: true (#10909)
• Fixed @putenv scripts receiving arguments passed to the command (#10846)
• Fixed support for spaces in paths with binary proxies on Windows (#10836)
• Fixed type error in GitDownloader if branches cannot be listed (#10888)
• Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)

2.3.7

• Fixed a few PHPStan ConfigReturnTypeExtension bugs
• Fixed Config default for auth configs to be empty arrays instead of null, fixes issues with diagnose command (#10814)
• Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
• Fixed bin proxies to allow a proxy to include another one safely (#10823)
• Fixed openssl 3.x version parsing as it is now semver compliant
• Fixed type error when a json file cannot be read (#10818)
• Fixed parsing of multi-line arrays in funding.yml (#10784)

2.2.14

• Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
• Fixed name validation regex in schema causing issues with JS IDEs like VS Code (#10811)
• Fixed bin proxies to allow a proxy to include another one safely (#10823)
• Fixed gitlab-token JSON schema definition (#10800)
• Fixed openssl 3.x version parsing as it is now semver compliant
• Fixed type error when a json file cannot be read (#10818)
• Fixed parsing of multi-line arrays in funding.yml (#10784)