2.4.0-RC1 - released 2022-07-21
View the release on GitHub
Changelog
- Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
- Added
bump
command to bump requirements to the currently installed version (#10829)
- Added
audit
command to check for known security vulnerabilities in installed packages (#10798, #10898)
- Added automatic auditing of security vulnerabilities after
update
is done, can be overridden with --no-audit
(#10798, #10898)
- Added
--audit
to install
command to also do an audit (#10798, #10898)
- Added
r
alias to require
command (#10953)
- Added
composer/class-map-generator
dependency to replace Composer\Autoload\ClassMapGenerator
which is now deprecated (#10885)
- Added
--locked
to depends
/prohibits
commands (#10834)
- Added
--strict-psr
flag to dump-autoload
command to fail the process if PSR violations were detected, useful for CI (#10886)
- Added
COMPOSER_PREFER_STABLE
and COMPOSER_PREFER_LOWEST
env vars to turn on --prefer-stable
/--prefer-lowest
on update
and require
command, useful for CI (#10919)
- Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
- Added
--major-only
flag to the outdated
command to show only packages with major version updates (#10827)
- Added sections for direct and transitive deps in
outdated
command output (#10779)
- Added ability for cache GC to clean up
vcs
and repo
caches (#10826)
- Added
--gc
flag to clear-cache
to only trigger a garbage collection instead of clearing everything (#10826)
- Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
- Added prompt suggesting using
--dev
when requiring packages with dev
/testing
/static analysis
keywords present (#10960)
- Added warning in
require
, init
and create-project
commands when the latest version of a package cannot be used due to platform requirements (#10896)