-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-354bf16cef 2024-02-21 01:31:44.025494 -------------------------------------------------------------------------------- Name : composer Product : Fedora 39 Version : 2.7.1 Release : 1.fc39 URL : https://getcomposer.org/ Summary : Dependency Manager for PHP Description : Composer helps you declare, manage and install dependencies of PHP projects, ensuring you have the right stack everywhere. Documentation: https://getcomposer.org/doc/ -------------------------------------------------------------------------------- Update Information: Version 2.7.1 - 2024-02-09 Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842) Fixed diagnose auditing of Composer dependencies failing when running from the phar Version 2.7.0 - 2024-02-08 Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821) Changed the default of the audit.abandoned config setting to fail, set it to report or ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643) Added --minimal-changes (-m) flag to update/require/remove commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#11665) Added --sort-by-age (-A) flag to outdated/show commands to allow sorting by and displaying the release date (most outdated first) (#11762) Added support for --self combined with --installed or --locked in show command, to add the root package to the package list being output (#11785) Added severity information to audit command output (#11702) Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666) Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force IPv4 or IPv6, set it to 4 or 6 (#11791) Added support for wildcards in outdated's --ignore arg (#11831) Added support for bump command bumping * to >=current version (#11694) Added detection of constraints that cannot possibly match anything to validate command (#11829) Added package source information to the output of install when running in very verbose (-vv) mode (#11763) Added audit of Composer's own bundled dependencies in diagnose command (#11761) Added GitHub token expiration date to diagnose command output (#11688) Added non-zero status code to why/why-not commands (#11796) Added error when calling show --direct <package> with an indirect/transitive dependency (#11728) Added COMPOSER_FUND=0 env var to hide calls for funding (#11779) Fixed bump command not bumping packages required with a v prefix (#11764) Fixed automatic disabling of plugins when running non-interactive as root Fixed update --lock not keeping the dist reference/url/checksum pinned (#11787) Fixed require command crashing at the end if no lock file is present (#11814) Fixed root aliases causing problems when auditing locked dependencies (#11771) Fixed handling of versions with 4 components in require command (#11716) Fixed compatibility issues with Symfony 7 Fixed composer.json remaining behind after a --dry-run of the require command (#11747) Fixed warnings being shown incorrectly under some circumstances (#11786, #11760, #11803) -------------------------------------------------------------------------------- ChangeLog: * Sat Feb 10 2024 Remi Collet <remi@xxxxxxxxxxxx> - 2.7.1-1 - update to 2.7.1 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-354bf16cef' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue