2.9.5

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

Full Changelog: 2.9.4...2.9.5

2.9.4

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: 2.9.3...2.9.4

2.9.3

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

Full Changelog: 2.9.2...2.9.3

2.2.26

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)

Full Changelog: 2.2.25...2.2.26

2.9.2

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

Full Changelog: 2.9.1...2.9.2

2.9.1

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

Full Changelog: 2.9.0...2.9.1

2.9.0

Read the Composer 2.9 Release Announcement for more details on the release highlights.

Full Changelog

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)
• Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
• Added repository command to add, remove, or update repositories more easily (#12388)
• Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
• Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
• Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
• Added support for forgejo / codeberg.org repositories (#12307)
• Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
• Added support for HTTP/3 if libcurl supports it (#12363)
• Added support for custom header authentication (#12372)
• Added support for client TLS certificates (#12406)
• Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
• Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
• Added support for running init without interaction (#12546)
• Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
• Added support for Windows Sudo to elevate during self-update (#12543)
• Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
• Fixed display of dist refs for dev versions when source is missing (#12562)
• Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
• Fixed compatibility issues with Symfony 7
• Fixed issues with PHP preloading being hard to debug (#12528)

Full Changelog: 2.8.12...2.9.0

2.9.0-RC1

Composer 2.9 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.9.0-RC1
• Running composer self-update --stable will get you back on the latest 2.8 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.9 RC and please include stack traces & repro details.

Full Changelog

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)
• Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
• Added repository command to add, remove, or update repositories more easily (#12388)
• Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
• Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
• Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
• Added support for forgejo / codeberg.org repositories (#12307)
• Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
• Added support for HTTP/3 if libcurl supports it (#12363)
• Added support for custom header authentication (#12372)
• Added support for client TLS certificates (#12406)
• Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
• Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
• Added support for running init without interaction (#12546)
• Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
• Added support for Windows Sudo to elevate during self-update (#12543)
• Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
• Fixed display of dist refs for dev versions when source is missing (#12562)
• Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
• Fixed compatibility issues with Symfony 7
• Fixed issues with PHP preloading being hard to debug (#12528)

Full Changelog: 2.8.12...2.9.0-RC1

2.8.12

• Fixed json schema issues with version validation (#12512)
• Fixed PHP 8.5 deprecation warnings (#12513)
• Fixed support for Bitbucket API tokens (#12515)
• Fixed handling of spaces in paths when using binaries (#12524)
• Fixed config --global path resolution issue (#12537)
• Reduced peak memory usage while loading packages (#12516)
• Dropped react/promise 2.x support

Full Changelog: 2.8.11...2.8.12

2.8.11

• Fixed PHP 8.5 deprecation warnings (#12504, #12493, #12505)
• Fixed bump command handling of 0.x versions (#12468)
• Fixed psr-4 warnings being shown in some cases when using symlinked directories (#12480)
• Fixed audit command failing hard if any advisory constraint was invalid (#12507)

Full Changelog: 2.8.10...2.8.11