Skip to content

Bump the composer group across 2 directories with 2 updates#12

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer/helpers/v1/composer-70762e475c
Open

Bump the composer group across 2 directories with 2 updates#12
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/composer/composer/helpers/v1/composer-70762e475c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Copy link
Copy Markdown

Bumps the composer group with 1 update in the /composer/helpers/v1 directory: composer/composer.
Bumps the composer group with 1 update in the /composer/helpers/v2 directory: composer/composer.

Updates composer/composer from 1.10.23 to 2.2.28

Release notes

Sourced from composer/composer's releases.

2.2.28

Full Changelog: composer/composer@2.2.27...2.2.28

2.2.27

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

Full Changelog: composer/composer@2.2.26...2.2.27

2.2.26

Full Changelog: composer/composer@2.2.25...2.2.26

2.2.25

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

Full Changelog: composer/composer@2.2.24...2.2.25

2.2.24

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

2.2.23

2.2.22

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.2.28] 2026-05-13

[2.2.27] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

[2.2.26] 2025-12-30

[2.2.25] 2024-12-11

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

[2.2.24] 2024-06-10

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

[2.2.23] 2024-02-08

[2.2.22] 2023-09-29

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
  • Fixed support for plugin classes being marked as readonly (#11404)
  • Fixed GitHub rate limit reporting (#11366)
  • Fixed issue displaying solver problems with branch names containing % signs (#11359)

... (truncated)

Commits

Updates symfony/process from 5.3.7 to 5.4.51

Release notes

Sourced from symfony/process's releases.

v5.4.51

Changelog (symfony/process@v5.4.50...v5.4.51)

v5.4.47

Changelog (symfony/process@v5.4.46...v5.4.47)

  • no significant changes

v5.4.46

Changelog (symfony/process@v5.4.45...v5.4.46)

v5.4.45

Changelog (symfony/process@v5.4.44...v5.4.45)

  • no significant changes

v5.4.44

Changelog (symfony/process@v5.4.43...v5.4.44)

v5.4.40

Changelog (symfony/process@v5.4.39...v5.4.40)

  • no significant changes

v5.4.39

Changelog (symfony/process@v5.4.38...v5.4.39)

  • no significant changes

v5.4.36

Changelog (symfony/process@v5.4.35...v5.4.36)

v5.4.35

Changelog (symfony/process@v5.4.34...v5.4.35)

v5.4.34

... (truncated)

Commits
  • 467bfc5 [Process] Fix escaping for MSYS on Windows
  • 5d1662f normalize paths to avoid failures if a path is referenced by different names
  • 0190687 [Process] Fix test
  • ee75984 security #cve-2024-51736 [Process] Use %PATH% before %CD% to load the shell o...
  • 05c2ccc [Process] Use %PATH% before %CD% to load the shell on Windows
  • d94dda5 [Process] Fix escaping /X arguments on Windows
  • 72baf6b fix the constant being used
  • 81e1a0c fix the path separator being used
  • d67303e minor #58747 [Process] fix the directory separator being used (xabbuh)
  • 5cdd400 minor #58746 [Process] Improve test cleanup by unlinking in a finally block...
  • Additional commits viewable in compare view

Updates composer/composer from 2.1.9 to 2.2.28

Release notes

Sourced from composer/composer's releases.

2.2.28

Full Changelog: composer/composer@2.2.27...2.2.28

2.2.27

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

Full Changelog: composer/composer@2.2.26...2.2.27

2.2.26

Full Changelog: composer/composer@2.2.25...2.2.26

2.2.25

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

Full Changelog: composer/composer@2.2.24...2.2.25

2.2.24

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

2.2.23

2.2.22

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.2.28] 2026-05-13

[2.2.27] 2026-04-14

  • Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (246f807b, 246f807b, 246f807b)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
  • Fixed issue handling paths with = in them on Windows (#11568)

[2.2.26] 2025-12-30

[2.2.25] 2024-12-11

  • Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
  • Fixed issue on plugin upgrade when it defines multiple classes (#12226)
  • Fixed duplicate errors appearing in the output depending on php settings (#12214)
  • Fixed InstalledVersions returning duplicate data in some instances (#12225)

[2.2.24] 2024-06-10

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)

[2.2.23] 2024-02-08

[2.2.22] 2023-09-29

  • Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
  • Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
  • Fixed handling of broken junctions on windows (#11550)
  • Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
  • Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
  • Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
  • Fixed support for plugin classes being marked as readonly (#11404)
  • Fixed GitHub rate limit reporting (#11366)
  • Fixed issue displaying solver problems with branch names containing % signs (#11359)

... (truncated)

Commits

Updates symfony/process from 5.3.7 to 5.4.51

Release notes

Sourced from symfony/process's releases.

v5.4.51

Changelog (symfony/process@v5.4.50...v5.4.51)

v5.4.47

Changelog (symfony/process@v5.4.46...v5.4.47)

  • no significant changes

v5.4.46

Changelog (symfony/process@v5.4.45...v5.4.46)

v5.4.45

Changelog (symfony/process@v5.4.44...v5.4.45)

  • no significant changes

v5.4.44

Changelog (symfony/process@v5.4.43...v5.4.44)

v5.4.40

Changelog (symfony/process@v5.4.39...v5.4.40)

  • no significant changes

v5.4.39

Changelog (symfony/process@v5.4.38...v5.4.39)

  • no significant changes

v5.4.36

Changelog (symfony/process@v5.4.35...v5.4.36)

v5.4.35

Changelog (symfony/process@v5.4.34...v5.4.35)

v5.4.34

... (truncated)

Commits
  • 467bfc5 [Process] Fix escaping for MSYS on Windows
  • 5d1662f normalize paths to avoid failures if a path is referenced by different names
  • 0190687 [Process] Fix test
  • ee75984 security #cve-2024-51736 [Process] Use %PATH% before %CD% to load the shell o...
  • 05c2ccc [Process] Use %PATH% before %CD% to load the shell on Windows
  • d94dda5 [Process] Fix escaping /X arguments on Windows
  • 72baf6b fix the constant being used
  • 81e1a0c fix the path separator being used
  • d67303e minor #58747 [Process] fix the directory separator being used (xabbuh)
  • 5cdd400 minor #58746 [Process] Improve test cleanup by unlinking in a finally block...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the composer group with 1 update in the /composer/helpers/v1 directory: [composer/composer](https://github.com/composer/composer).
Bumps the composer group with 1 update in the /composer/helpers/v2 directory: [composer/composer](https://github.com/composer/composer).


Updates `composer/composer` from 1.10.23 to 2.2.28
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/2.2.28/CHANGELOG.md)
- [Commits](composer/composer@1.10.23...2.2.28)

Updates `symfony/process` from 5.3.7 to 5.4.51
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/8.1/CHANGELOG.md)
- [Commits](symfony/process@v5.3.7...v5.4.51)

Updates `composer/composer` from 2.1.9 to 2.2.28
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/2.2.28/CHANGELOG.md)
- [Commits](composer/composer@1.10.23...2.2.28)

Updates `symfony/process` from 5.3.7 to 5.4.51
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/8.1/CHANGELOG.md)
- [Commits](symfony/process@v5.3.7...v5.4.51)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.2.28
  dependency-type: direct:production
  dependency-group: composer
- dependency-name: symfony/process
  dependency-version: 5.4.51
  dependency-type: indirect
  dependency-group: composer
- dependency-name: composer/composer
  dependency-version: 2.2.28
  dependency-type: direct:production
  dependency-group: composer
- dependency-name: symfony/process
  dependency-version: 5.4.51
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants