2.4.3

• BC Break: The json format of audit command now has reportedAt as an RFC3339 string instead of an object which was a mistake (#11120)
• Fixed json format of audit command which was missing affectedVersions (#11120)
• Fixed plugin commands not being loaded during bash completions (#11074)
• Fixed parsing of inline aliases within complex constraints with || or , (#11086)
• Fixed min-php version check in autoload.php to avoid crashing sites running on PHP 5.5 or below silently with a 200 (#11091)
• Fixed JsonFile reading files without checking if they are readable first (#11077)
• Fixed require command with --dry-run failing when requiring a package requiring stability flag extraction (#11112)

2.4.2

• Fixed bash completion hanging when running as root without COMPOSER_ALLOW_SUPERUSER set (#11024)
• Fixed handling of plugin activation when running as root without COMPOSER_ALLOW_SUPERUSER set so it always happens after prompting, or does not happen if input is non-interactive
• Fixed package filter on bump command (#11053)
• Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)
• Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
• Fixed handling of zero-major versions in outdated command with --major-only (#11032)
• Fixed show --platform regression since 2.4.0 when running in a directory without composer.json (#11046)
• Fixed a few strict type errors

2.4.1

• Added a COMPOSER_NO_AUDIT env var to easily apply the new --no-audit flag in CI (#10998)
• Fixed show command showing packages in two sections, this was only meant for the outdated command (#11000)
• Fixed local git repos being copied to cache unnecessarily (#11001)
• Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)

2.2.18

• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
• Fixed duplicate missing extension warnings being displayed (#10938)
• Fixed hg version detection (#10955)
• Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)

2.4.0

Read the Composer 2.4 Release Announcement for more details on the release highlights.

Complete Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added json format output to the check-platform-reqs command (#10979)
• Added GitLab 15+ token refresh support (#10988)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)
• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)

2.4.0-RC1

Composer 2.4 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.4.0-RC1
• Running composer self-update --stable will get you back on the latest 2.3 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.4 RC and please include stack traces & repro details.

Full Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)

2.3.10

PSA: If you are seeing issues running non-interactive create-project with a project that does not configure allow-plugins, see the top post of #10928 for a workaround.

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
• Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
• Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
• Fixed support for disable_functions containing disk_free_space (#10936)
• Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)

2.2.17

PSA: If you are seeing issues running non-interactive create-project with a project that does not configure allow-plugins, see the top post of #10928 for a workaround.

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#10935)
• Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#10928)
• Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
• Fixed support for disable_functions containing disk_free_space (#10936)
• Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)

2.3.9

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
• Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
• Fixed deprecation notice (#10921)
• Fixed type errors (#10924)

2.2.16

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
• Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#10920)
• Fixed deprecation notice (#10921)