Skip to content

Commit

Permalink
chore(deps): bump composer/composer from 2.6.1 to 2.7.7 in /packages/…
Browse files Browse the repository at this point in the history 
…php (#1016)

Bumps [composer/composer](https://github.com/composer/composer) from
2.6.1 to 2.7.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/composer/composer/releases">composer/composer's
releases</a>.</em></p>
<blockquote>
<h2>2.7.7</h2>
<h3>This release includes fixes for issues found in a <a
href="https://blog.packagist.com/composer-2-7-7/">security audit by
Cure53 funded by Alpha-Omega</a>.</h3>
<ul>
<li>Security: Fixed command injection via malicious git branch name
(GHSA-47f6-5gq3-vx9c / CVE-2024-35241)</li>
<li>Security: Fixed multiple command injections via malicious git/hg
branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)</li>
<li>Security: Fixed secure-http checks that could be bypassed by using
malformed URL formats (fa3b9582c)</li>
<li>Security: Fixed Filesystem::isLocalPath including windows-specific
checks on linux (3c37a67c)</li>
<li>Security: Fixed perforce argument escaping (3773f775)</li>
<li>Security: Fixed handling of zip bombs when extracting archives
(de5f7e32)</li>
<li>Security: Fixed Windows command parameter escaping to prevent abuse
of unicode characters with best fit encoding conversion, reported by
Splitline Huang (3130a7455, 04a63b324)</li>
<li>Fixed PSR violations for classes not matching the namespace of a
rule being hidden, this may lead to new violations being shown (<a
href="https://redirect.github.com/composer/composer/issues/11957">#11957</a>)</li>
<li>Fixed UX when a plugin is still in vendor dir but is not required
nor allowed anymore after changing branches (<a
href="https://redirect.github.com/composer/composer/issues/12000">#12000</a>)</li>
<li>Fixed new platform requirements from composer.json not being checked
if the lock file is outdated (<a
href="https://redirect.github.com/composer/composer/issues/12001">#12001</a>)</li>
<li>Fixed ability for <code>config</code> command to remove autoload
keys (<a
href="https://redirect.github.com/composer/composer/issues/11967">#11967</a>)</li>
<li>Fixed empty <code>type</code> support in <code>init</code> command
(<a
href="https://redirect.github.com/composer/composer/issues/11999">#11999</a>)</li>
<li>Fixed git clone errors when <code>safe.bareRepository</code> is set
to <code>strict</code> in the git config (<a
href="https://redirect.github.com/composer/composer/issues/11969">#11969</a>)</li>
<li>Fixed regression showing network errors on PHP &lt;8.1 (<a
href="https://redirect.github.com/composer/composer/issues/11974">#11974</a>)</li>
<li>Fixed some color bleed from a few warnings (<a
href="https://redirect.github.com/composer/composer/issues/11972">#11972</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/composer/composer/compare/2.7.6...2.7.7">https://github.com/composer/composer/compare/2.7.6...2.7.7</a></p>
<h2>2.7.6</h2>
<ul>
<li>Fixed regression when script handlers add an autoloader which uses a
private callback (<a
href="https://redirect.github.com/composer/composer/issues/11960#issuecomment-2094079251">#11960</a>)</li>
</ul>
<h2>2.7.5</h2>
<ul>
<li>Added <code>uninstall</code> alias to <code>remove</code> command
(<a
href="https://redirect.github.com/composer/composer/issues/11951">#11951</a>)</li>
<li>Added workaround for broken curl versions 8.7.0/8.7.1 causing
transport exceptions (<a
href="https://redirect.github.com/composer/composer/issues/11913">#11913</a>)</li>
<li>Fixed root usage warnings showing up within Podman containers (<a
href="https://redirect.github.com/composer/composer/issues/11946">#11946</a>)</li>
<li>Fixed config command not handling objects correctly in some
conditions (<a
href="https://redirect.github.com/composer/composer/issues/11945">#11945</a>)</li>
<li>Fixed binary proxies not containing the correct path if the project
dir is a symlink (<a
href="https://redirect.github.com/composer/composer/issues/11947">#11947</a>)</li>
<li>Fixed Composer autoloader being overruled by project autoloaders
when they are loaded by event handlers (scripts/plugins) (<a
href="https://redirect.github.com/composer/composer/issues/11955">#11955</a>)</li>
<li>Fixed TransportException (http failures) not having a distinct exit
code, should now exit with <code>100</code> as code (<a
href="https://redirect.github.com/composer/composer/issues/11954">#11954</a>)</li>
</ul>
<h2>2.7.4</h2>
<ul>
<li>Fixed regression (<code>Call to undefined method
ProxyManager::needsTransitionWarning()</code>) with projects requiring
composer/composer in an pre-2.7.3 version (<a
href="https://redirect.github.com/composer/composer/issues/11943">#11943</a>,
<a
href="https://redirect.github.com/composer/composer/issues/11940">#11940</a>)</li>
</ul>
<p>As a side-note, requiring <code>composer/composer</code> is frowned
upon and should really only be done in circumstances where it is
absolutely necessary, and ideally you should talk to us first to see if
we can't help avoid it or help by extracting some code in a <a
href="https://packagist.org/packages/composer/">smaller library</a>.</p>
<h2>2.7.3</h2>
<ul>
<li>BC Warning: Fixed <code>https_proxy</code> env var falling back to
<code>http_proxy</code>'s value, this is still in place but with a
warning for now, and https_proxy can now be set empty to remove the
fallback. Composer 2.8.0 will remove the fallback so make sure you heed
the warnings (<a
href="https://redirect.github.com/composer/composer/issues/11915">#11915</a>)</li>
<li>Fixed <code>show</code> and <code>outdated</code> commands to remove
leading <code>v</code> in e.g. <code>v1.2.3</code> when showing lists of
packages (<a
href="https://redirect.github.com/composer/composer/issues/11925">#11925</a>)</li>
<li>Fixed <code>audit</code> command not showing any id when no CVE is
present, the advisory ID is now shown (<a
href="https://redirect.github.com/composer/composer/issues/11892">#11892</a>)</li>
<li>Fixed the warning about a missing default version showing for
packages with <code>project</code> type as those are typically not
versioned and do not have cyclic dependencies (<a
href="https://redirect.github.com/composer/composer/issues/11885">#11885</a>)</li>
<li>Fixed PHP 8.4 deprecation warnings</li>
<li>Fixed <code>clear-cache</code> command to respect the
config.cache-dir setting from the local composer.json (<a
href="https://redirect.github.com/composer/composer/issues/11921">#11921</a>)</li>
<li>Fixed <code>status</code> command not handling failed
download/install promises correctly (<a
href="https://redirect.github.com/composer/composer/issues/11889">#11889</a>)</li>
<li>Added support for <code>buy_me_a_coffee</code> in GitHub funding
files (<a
href="https://redirect.github.com/composer/composer/issues/11902">#11902</a>)</li>
<li>Added <code>hg</code> support for SSH urls (<a
href="https://redirect.github.com/composer/composer/issues/11878">#11878</a>)</li>
<li>Fixed some env vars with an integer value causing a crash (<a
href="https://redirect.github.com/composer/composer/issues/11908">#11908</a>)</li>
<li>Fixed context data not being output when using IOInterface as a
PSR-3 logger (<a
href="https://redirect.github.com/composer/composer/issues/11882">#11882</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/composer/composer/blob/main/CHANGELOG.md">composer/composer's
changelog</a>.</em></p>
<blockquote>
<h3>[2.7.7] 2024-06-10</h3>
<ul>
<li>Security: Fixed command injection via malicious git branch name
(GHSA-47f6-5gq3-vx9c / CVE-2024-35241)</li>
<li>Security: Fixed multiple command injections via malicious git/hg
branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)</li>
<li>Security: Fixed secure-http checks that could be bypassed by using
malformed URL formats (fa3b9582c)</li>
<li>Security: Fixed Filesystem::isLocalPath including windows-specific
checks on linux (3c37a67c)</li>
<li>Security: Fixed perforce argument escaping (3773f775)</li>
<li>Security: Fixed handling of zip bombs when extracting archives
(de5f7e32)</li>
<li>Security: Fixed Windows command parameter escaping to prevent abuse
of unicode characters with best fit encoding conversion (3130a7455,
04a63b324)</li>
<li>Fixed PSR violations for classes not matching the namespace of a
rule being hidden, this may lead to new violations being shown (<a
href="https://redirect.github.com/composer/composer/issues/11957">#11957</a>)</li>
<li>Fixed UX when a plugin is still in vendor dir but is not required
nor allowed anymore after changing branches (<a
href="https://redirect.github.com/composer/composer/issues/12000">#12000</a>)</li>
<li>Fixed new platform requirements from composer.json not being checked
if the lock file is outdated (<a
href="https://redirect.github.com/composer/composer/issues/12001">#12001</a>)</li>
<li>Fixed ability for <code>config</code> command to remove autoload
keys (<a
href="https://redirect.github.com/composer/composer/issues/11967">#11967</a>)</li>
<li>Fixed empty <code>type</code> support in <code>init</code> command
(<a
href="https://redirect.github.com/composer/composer/issues/11999">#11999</a>)</li>
<li>Fixed git clone errors when <code>safe.bareRepository</code> is set
to <code>strict</code> in the git config (<a
href="https://redirect.github.com/composer/composer/issues/11969">#11969</a>)</li>
<li>Fixed regression showing network errors on PHP &lt;8.1 (<a
href="https://redirect.github.com/composer/composer/issues/11974">#11974</a>)</li>
<li>Fixed some color bleed from a few warnings (<a
href="https://redirect.github.com/composer/composer/issues/11972">#11972</a>)</li>
</ul>
<h3>[2.7.6] 2024-05-04</h3>
<ul>
<li>Fixed regression when script handlers add an autoloader which uses a
private callback (<a
href="https://redirect.github.com/composer/composer/issues/11960">#11960</a>)</li>
</ul>
<h3>[2.7.5] 2024-05-03</h3>
<ul>
<li>Added <code>uninstall</code> alias to <code>remove</code> command
(<a
href="https://redirect.github.com/composer/composer/issues/11951">#11951</a>)</li>
<li>Added workaround for broken curl versions 8.7.0/8.7.1 causing
transport exceptions (<a
href="https://redirect.github.com/composer/composer/issues/11913">#11913</a>)</li>
<li>Fixed root usage warnings showing up within Podman containers (<a
href="https://redirect.github.com/composer/composer/issues/11946">#11946</a>)</li>
<li>Fixed config command not handling objects correctly in some
conditions (<a
href="https://redirect.github.com/composer/composer/issues/11945">#11945</a>)</li>
<li>Fixed binary proxies not containing the correct path if the project
dir is a symlink (<a
href="https://redirect.github.com/composer/composer/issues/11947">#11947</a>)</li>
<li>Fixed Composer autoloader being overruled by project autoloaders
when they are loaded by event handlers (scripts/plugins) (<a
href="https://redirect.github.com/composer/composer/issues/11955">#11955</a>)</li>
<li>Fixed TransportException (http failures) not having a distinct exit
code, should now exit with <code>100</code> as code (<a
href="https://redirect.github.com/composer/composer/issues/11954">#11954</a>)</li>
</ul>
<h3>[2.7.4] 2024-04-22</h3>
<ul>
<li>Fixed regression (<code>Call to undefined method
ProxyManager::needsTransitionWarning()</code>) with projects requiring
composer/composer in an pre-2.7.3 version (<a
href="https://redirect.github.com/composer/composer/issues/11943">#11943</a>,
<a
href="https://redirect.github.com/composer/composer/issues/11940">#11940</a>)</li>
</ul>
<h3>[2.7.3] 2024-04-19</h3>
<ul>
<li>BC Warning: Fixed <code>https_proxy</code> env var falling back to
<code>http_proxy</code>'s value, this is still in place but with a
warning for now, and https_proxy can now be set empty to remove the
fallback. Composer 2.8.0 will remove the fallback so make sure you heed
the warnings (<a
href="https://redirect.github.com/composer/composer/issues/11915">#11915</a>)</li>
<li>Fixed <code>show</code> and <code>outdated</code> commands to remove
leading <code>v</code> in e.g. <code>v1.2.3</code> when showing lists of
packages (<a
href="https://redirect.github.com/composer/composer/issues/11925">#11925</a>)</li>
<li>Fixed <code>audit</code> command not showing any id when no CVE is
present, the advisory ID is now shown (<a
href="https://redirect.github.com/composer/composer/issues/11892">#11892</a>)</li>
<li>Fixed the warning about a missing default version showing for
packages with <code>project</code> type as those are typically not
versioned and do not have cyclic dependencies (<a
href="https://redirect.github.com/composer/composer/issues/11885">#11885</a>)</li>
<li>Fixed PHP 8.4 deprecation warnings</li>
<li>Fixed <code>clear-cache</code> command to respect the
config.cache-dir setting from the local composer.json (<a
href="https://redirect.github.com/composer/composer/issues/11921">#11921</a>)</li>
<li>Fixed <code>status</code> command not handling failed
download/install promises correctly (<a
href="https://redirect.github.com/composer/composer/issues/11889">#11889</a>)</li>
<li>Added support for <code>buy_me_a_coffee</code> in GitHub funding
files (<a
href="https://redirect.github.com/composer/composer/issues/11902">#11902</a>)</li>
<li>Added <code>hg</code> support for SSH urls (<a
href="https://redirect.github.com/composer/composer/issues/11878">#11878</a>)</li>
<li>Fixed some env vars with an integer value causing a crash (<a
href="https://redirect.github.com/composer/composer/issues/11908">#11908</a>)</li>
<li>Fixed context data not being output when using IOInterface as a
PSR-3 logger (<a
href="https://redirect.github.com/composer/composer/issues/11882">#11882</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/composer/composer/commit/291942978f39435cf904d33739f98d7d4eca7b23"><code>2919429</code></a>
Release 2.7.7</li>
<li><a
href="https://github.com/composer/composer/commit/e354a8d290c67a5c5b152d3f710823b62daaecd2"><code>e354a8d</code></a>
Update changelog</li>
<li><a
href="https://github.com/composer/composer/commit/04a63b324fef7f019dde83a3153c97219b4c794b"><code>04a63b3</code></a>
Add more characters for best fit encoding protection</li>
<li><a
href="https://github.com/composer/composer/commit/ad8985e6b07b54f0fb9c1f1dc50248048406cf5a"><code>ad8985e</code></a>
Update changelog</li>
<li><a
href="https://github.com/composer/composer/commit/3130a7455a9fb53e14a08d2c9d6d904810159df1"><code>3130a74</code></a>
Fix windows parameter encoding to prevent abuse of unicode characters
with be...</li>
<li><a
href="https://github.com/composer/composer/commit/5aa7b03b9d6cd0b20b32733298b6e97a2b11b287"><code>5aa7b03</code></a>
Fix test</li>
<li><a
href="https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704"><code>ee28354</code></a>
Merge pull request from GHSA-47f6-5gq3-vx9c</li>
<li><a
href="https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396"><code>6bd43df</code></a>
Merge pull request from GHSA-v9qv-c7wm-wgmf</li>
<li><a
href="https://github.com/composer/composer/commit/fa3b9582c38fa2b7ed14989101a5d1e1788d787c"><code>fa3b958</code></a>
Fix secure-http check to avoid bypass using emojis</li>
<li><a
href="https://github.com/composer/composer/commit/f3e877a80e42e61448aca52541388e299a23ca17"><code>f3e877a</code></a>
Update deps</li>
<li>Additional commits viewable in <a
href="https://github.com/composer/composer/compare/2.6.1...2.7.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=composer/composer&package-manager=composer&previous-version=2.6.1&new-version=2.7.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/readmeio/metrics-sdks/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
@dependabot
dependabot[bot] authored Jun 16, 2024
1 parent 79fbb5b commit 93eb1a5
Showing 1 changed file with 53 additions and 51 deletions.
104 changes: 53 additions & 51 deletions packages/php/composer.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 93eb1a5

Please sign in to comment.