Skip to content
This repository has been archived by the owner on Jun 17, 2021. It is now read-only.

[Security] Bump composer/composer from 2.0.8 to 2.1.2 #168

Closed

Conversation

dependabot-preview[bot]
Copy link
Contributor

Bumps composer/composer from 2.0.8 to 2.1.2. This update includes a security fix.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial

Affected versions: >=2.0.0-alpha1, <2.0.13; <1.10.22

Release notes

Sourced from composer/composer's releases.

2.1.2

  • Added --dev to dump-autoload command to allow force-dumping dev autoload rules even if dev requirements are not present (#9946)
  • Fixed --no-scripts disabling events for plugins too instead of only disabling script handlers, using --no-plugins is the way to disable plugins (#9942)
  • Fixed handling of deletions during package installs on some filesystems (#9945, #9947)
  • Fixed undefined array access when using @php <absolute path> in a script handler (#9943)
  • Fixed usage of InstalledVersions when loaded from composer/composer installed as a dependency and runtime Composer is v1 (#9937)

2.1.1

  • Fixed regression in autoload generation when --no-scripts is used (#9935)
  • Fixed outdated color legend to have the right color in the right place (#9939)
  • Fixed PCRE bug causing a previously valid pattern to fail to match (#9941)
  • Fixed JsonFile::validateSchema regression when used as a library to validate custom schema files (#9938)

2.1.0

  • Bumped composer-runtime-api and composer-plugin-api to 2.1.0
  • UX Change: The default install method for packages is now always dist/zip, even for dev packages, added --prefer-install=auto if you want the old behavior (#9603)
  • UX Change: Packages from path repositories which are symlinked in the vendor dir will always be updated in partial updates to avoid mistakes when the original composer.json changes but the symlinked package is not explicitly updated (#9765)
  • Added reinstall command that takes one or more package names, including wildcard (*) support, and removes then reinstalls them in the exact same version they had (#9915)
  • Added support for parallel package installs on Windows via 7-Zip if it is installed (#9875)
  • Added detection of invalid composer.lock files that do not fullfil the composer.json requirements to validate command (#9899)
  • Added InstalledVersions::getInstalledPackagesByType(string $type) to retrieve installed plugins for example, read more (#9699)
  • Added InstalledVersions::getInstalledPath(string $packageName) to retrieve the install path of a given package, read more (#9699)
  • Added flag to InstalledVersions::isInstalled() to allow excluding dev requirements from that check (#9682)
  • Added support for PHP 8.1 enums in autoloader / classmap generation (#9670)
  • Added support for using @php binary-name foo in scripts to refer to a binary without using its full path, but forcing to use the same PHP version as Composer used (#9726)
  • Added --format=json support to the fund command (#9678)
  • Added --format=json support to the search command (#9747)
  • Added COMPOSER_DEV_MODE env var definition within the run-script command for compatibility (#9793)
  • Added async uninstall of packages (#9618)
  • Added color legend to outdated and show --latest commands (#9716)
  • Added secure-svn-domains config option to mark secure svn:// hostnames and suppress warnings without disabling secure-http (#9872)
  • Added gitlab-protocol config option to allow forcing git or http URLs for all gitlab repos loaded inline, instead of the default of git for private and http for public (#9401)
  • Added generation of autoload rules in init command (#9829)
  • Added source/dist validation in validate command
  • Added automatic detection of WSL when generating binaries and use bin-compat:full implicitly (#9855)
  • Added automatic detection of the --no-dev state for dump-autoload based on the last install run (#9714)
  • Added warning/prompt to require command if requiring a package that already exists in require-dev or vice versa (#9542)
  • Added information about package conflicts in the why/why-not commands (#9693)
  • Removed version argument from why command as it was not needed (#9729)
  • Fixed why-not command to always require a specific version as it is useless without (#9729)
  • Fixed cache dir on macOS to follow OS guidelines, it is now in ~/Library/Caches/composer (#9898)
  • Fixed composer.json JSON schema to avoid having name/description required by default (#9912)
  • Fixed support for running inside WSL paths from a Windows PHP/Composer (#9861)
  • Fixed InstalledVersions to include the original doc blocks when installed from a Composer phar file
  • Fixed require command to use * as constraint for extensions bundled with PHP instead of duplicating the PHP constraint (#9483)
  • Fixed search output to be aligned and avoid wrapped long lines to be more readable (#9455)
  • Fixed PHP 8.1 deprecation warning (#9932)
  • Fixed env var handling when variables_order includes E and symfony/console 3.3.15+ is in use (#9930)
  • Error output improvements for many cases (#9876, #9837, #9928, and some smaller improvements)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.1.2] 2021-06-07

  • Added --dev to dump-autoload command to allow force-dumping dev autoload rules even if dev requirements are not present (#9946)
  • Fixed --no-scripts disabling events for plugins too instead of only disabling script handlers, using --no-plugins is the way to disable plugins (#9942)
  • Fixed handling of deletions during package installs on some filesystems (#9945, #9947)
  • Fixed undefined array access when using "@​php " in a script handler (#9943)
  • Fixed usage of InstalledVersions when loaded from composer/composer installed as a dependency and runtime Composer is v1 (#9937)

[2.1.1] 2021-06-04

  • Fixed regression in autoload generation when --no-scripts is used (#9935)
  • Fixed outdated color legend to have the right color in the right place (#9939)
  • Fixed PCRE bug causing a previously valid pattern to fail to match (#9941)
  • Fixed JsonFile::validateSchema regression when used as a library to validate custom schema files (#9938)

[2.1.0] 2021-06-03

  • Fixed PHP 8.1 deprecation warning (#9932)
  • Fixed env var handling when variables_order includes E and symfony/console 3.3.15+ is in use (#9930)

[2.1.0-RC1] 2021-06-02

  • Bumped composer-runtime-api and composer-plugin-api to 2.1.0
  • UX Change: The default install method for packages is now always dist/zip, even for dev packages, added --prefer-install=auto if you want the old behavior (#9603)
  • UX Change: Packages from path repositories which are symlinked in the vendor dir will always be updated in partial updates to avoid mistakes when the original composer.json changes but the symlinked package is not explicitly updated (#9765)
  • Added reinstall command that takes one or more package names, including wildcard (*) support, and removes then reinstalls them in the exact same version they had (#9915)
  • Added support for parallel package installs on Windows via 7-Zip if it is installed (#9875)
  • Added detection of invalid composer.lock files that do not fullfil the composer.json requirements to validate command (#9899)
  • Added InstalledVersions::getInstalledPackagesByType(string $type) to retrieve installed plugins for example, read more (#9699)
  • Added InstalledVersions::getInstalledPath(string $packageName) to retrieve the install path of a given package, read more (#9699)
  • Added flag to InstalledVersions::isInstalled() to allow excluding dev requirements from that check (#9682)
  • Added support for PHP 8.1 enums in autoloader / classmap generation (#9670)
  • Added support for using @php binary-name foo in scripts to refer to a binary without using its full path, but forcing to use the same PHP version as Composer used (#9726)
  • Added --format=json support to the fund command (#9678)
  • Added --format=json support to the search command (#9747)
  • Added COMPOSER_DEV_MODE env var definition within the run-script command for compatibility (#9793)
  • Added async uninstall of packages (#9618)
  • Added color legend to outdated and show --latest commands (#9716)
  • Added secure-svn-domains config option to mark secure svn:// hostnames and suppress warnings without disabling secure-http (#9872)
  • Added gitlab-protocol config option to allow forcing git or http URLs for all gitlab repos loaded inline, instead of the default of git for private and http for public (#9401)
  • Added generation of autoload rules in init command (#9829)
  • Added source/dist validation in validate command
  • Added automatic detection of WSL when generating binaries and use bin-compat:full implicitly (#9855)
  • Added automatic detection of the --no-dev state for dump-autoload based on the last install run (#9714)
  • Added warning/prompt to require command if requiring a package that already exists in require-dev or vice versa (#9542)
  • Added information about package conflicts in the why/why-not commands (#9693)
  • Removed version argument from why command as it was not needed (#9729)
  • Fixed why-not command to always require a specific version as it is useless without (#9729)
  • Fixed cache dir on macOS to follow OS guidelines, it is now in ~/Library/Caches/composer (#9898)
  • Fixed composer.json JSON schema to avoid having name/description required by default (#9912)

... (truncated)

Commits
  • 1845e68 Release 2.1.2
  • 8ac5d78 Bump CA-bundle version
  • aaf722d Update PR template
  • e9985ef Update changelog
  • 6e851ed Add --dev to dump-autoload command to allow force-dumping dev autoload ru...
  • e013b47 Avoid failing hard if the target empty dir cannot be deleted when extracting ...
  • c4f675f Fix virtualbox filesystem issue when installing packages, fixes #9945
  • 4e4b4f6 Revert "Always wait after an unzip completes to try and fix virtualbox issues...
  • dd17f5f Add missing use
  • 3556f6e Always wait after an unzip completes to try and fix virtualbox issues, refs #...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

Bumps [composer/composer](https://github.com/composer/composer) from 2.0.8 to 2.1.2. **This update includes a security fix.**
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/master/CHANGELOG.md)
- [Commits](composer/composer@2.0.8...2.1.2)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code security Pull requests that address a security vulnerability labels Jun 7, 2021
@dependabot-preview
Copy link
Contributor Author

Superseded by #170.

@dependabot-preview dependabot-preview bot deleted the dependabot/composer/composer/composer-2.1.2 branch June 9, 2021 20:21
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file php Pull requests that update Php code security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants