Skip to content

Bump composer/composer from 2.9.5 to 2.9.8 in /composer/helpers/v2 in the prod-dependencies group across 1 directory#121

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95
Closed

Bump composer/composer from 2.9.5 to 2.9.8 in /composer/helpers/v2 in the prod-dependencies group across 1 directory#121
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 2, 2026
edited
Loading

Bumps the prod-dependencies group with 1 update in the /composer/helpers/v2 directory: composer/composer.

Updates composer/composer from 2.9.5 to 2.9.8

Release notes

Sourced from composer/composer's releases.

2.9.8

Full Changelog: composer/composer@2.9.7...2.9.8

2.9.7

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: composer/composer@2.9.6...2.9.7

2.9.6

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

Changelog

Sourced from composer/composer's changelog.

[2.9.8] 2026-05-13

[2.9.7] 2026-04-14

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95 branch from 6cfc15b to fd5808a Compare May 3, 2026 16:05
@dependabot dependabot Bot force-pushed the dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95 branch from fd5808a to 9c76f83 Compare May 10, 2026 16:06
@dependabot
Bump composer/composer
f64e163 
Bumps the prod-dependencies group with 1 update in the /composer/helpers/v2 directory: [composer/composer](https://github.com/composer/composer).


Updates `composer/composer` from 2.9.5 to 2.9.8
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.9.5...2.9.8)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.9.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump composer/composer from 2.9.5 to 2.9.7 in /composer/helpers/v2 in the prod-dependencies group across 1 directory Bump composer/composer from 2.9.5 to 2.9.8 in /composer/helpers/v2 in the prod-dependencies group across 1 directory May 17, 2026
@dependabot dependabot Bot force-pushed the dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95 branch from 9c76f83 to f64e163 Compare May 17, 2026 16:07
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github May 19, 2026

Looks like composer/composer is no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this May 19, 2026
@dependabot dependabot Bot deleted the dependabot/composer/composer/helpers/v2/prod-dependencies-6336fe7e95 branch May 19, 2026 22:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file L: php:composer php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants