2.9.7

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: 2.9.6...2.9.7

2.9.6

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc08)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c76)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: 2.9.5...2.9.6

2.2.27

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807, 246f807, 246f807)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
• Fixed issue handling paths with = in them on Windows (#11568)

Full Changelog: 2.2.26...2.2.27

2.10.0-RC1

Composer 2.10 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.10.0-RC1
• Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details.

Full Changelog

• Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)

Full Changelog: 2.9.5...2.10.0-RC1

2.9.5

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

Full Changelog: 2.9.4...2.9.5

2.9.4

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: 2.9.3...2.9.4

2.9.3

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

Full Changelog: 2.9.2...2.9.3

2.2.26

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)

Full Changelog: 2.2.25...2.2.26

2.9.2

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

Full Changelog: 2.9.1...2.9.2

2.9.1

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

Full Changelog: 2.9.0...2.9.1