2.9.0-RC1 - released 2025-11-07

View the release on GitHub

Changelog

  • Bumped composer-plugin-api to 2.9.0
  • Added automatic blocking of packages with security advisories from updates (#11956)
  • Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
  • Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
  • Added audit > ignore-abandoned config setting to ignore some packages (#12572)
  • Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
  • Added repository command to add, remove, or update repositories more easily (#12388)
  • Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
  • Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
  • Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
  • Added support for forgejo / codeberg.org repositories (#12307)
  • Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
  • Added support for HTTP/3 if libcurl supports it (#12363)
  • Added support for custom header authentication (#12372)
  • Added support for client TLS certificates (#12406)
  • Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
  • Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
  • Added support for running init without interaction (#12546)
  • Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
  • Added support for Windows Sudo to elevate during self-update (#12543)
  • Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
  • Fixed display of dist refs for dev versions when source is missing (#12562)
  • Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
  • Fixed compatibility issues with Symfony 7
  • Fixed issues with PHP preloading being hard to debug (#12528)