Skip to content

Bump composer/composer from 2.9.5 to 2.9.8#111

Merged
WyriHaximus merged 1 commit into
masterfrom
dependabot/composer/composer/composer-2.9.8
May 22, 2026
Merged

Bump composer/composer from 2.9.5 to 2.9.8#111
WyriHaximus merged 1 commit into
masterfrom
dependabot/composer/composer/composer-2.9.8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Copy link
Copy Markdown
Contributor

Bumps composer/composer from 2.9.5 to 2.9.8.

Release notes

Sourced from composer/composer's releases.

2.9.8

Full Changelog: composer/composer@2.9.7...2.9.8

2.9.7

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: composer/composer@2.9.6...2.9.7

2.9.6

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

Changelog

Sourced from composer/composer's changelog.

[2.9.8] 2026-05-13

[2.9.7] 2026-04-14

  • Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
  • Fixed GitHub API authentication errors not being visible to the user (#12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [composer/composer](https://github.com/composer/composer) from 2.9.5 to 2.9.8.
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.9.5...2.9.8)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.9.8
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
@dependabot dependabot Bot requested a review from WyriHaximus as a code owner May 19, 2026 17:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
@boring-cyborg boring-cyborg Bot added Dependencies 📦 Pull requests that update a dependency file PHP 🐘 labels May 19, 2026
@github-actions

Copy link
Copy Markdown

🚧 Composer Development Dependency changes 🚧

Dev Packages Operation Base Target Link
composer/ca-bundle Upgraded 1.5.8 1.5.12 Compare
composer/class-map-generator Upgraded 1.6.2 1.7.3 Compare
composer/composer Upgraded 2.9.5 2.9.8 Compare
composer/spdx-licenses Upgraded 1.5.9 1.6.0 Compare
justinrainbow/json-schema Upgraded 6.6.0 6.8.2 Compare
symfony/console Upgraded v7.4.1 v7.4.11 Compare
symfony/deprecation-contracts Upgraded v3.6.0 v3.7.0 Compare
symfony/filesystem Upgraded v7.3.2 v7.4.11 Compare
symfony/finder Upgraded v7.3.2 v8.0.8 Compare
symfony/polyfill-ctype Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-intl-grapheme Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-intl-normalizer Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-mbstring Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-php73 Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-php80 Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-php81 Upgraded v1.33.0 v1.37.0 Compare
symfony/polyfill-php84 Upgraded v1.33.0 v1.37.0 Compare
symfony/process Upgraded v8.0.5 v8.0.11 Compare
symfony/service-contracts Upgraded v3.6.0 v3.7.0 Compare
symfony/string Upgraded v7.3.4 v7.4.11 Compare

@github-actions github-actions Bot added this to the 4.7.0 milestone May 19, 2026
@WyriHaximus WyriHaximus merged commit 0d18b55 into master May 22, 2026
174 of 204 checks passed
@dependabot dependabot Bot deleted the dependabot/composer/composer/composer-2.9.8 branch May 22, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies 📦 Pull requests that update a dependency file dependencies Pull requests that update a dependency file PHP 🐘 php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant