[NEUTRAL] Update dependency composer/composer to v2.2.21

[mend-for-github-com]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
composer/composer (source)	2.1.3 -> 2.2.21

By merging this PR, the issue #1050 will be automatically resolved and closed:

Severity	CVSS Score	CVE	Reachability
Medium	6.4	CVE-2023-43655

---

Release Notes

composer/composer (composer/composer)

v2.2.21

Compare Source

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#​11326)

v2.2.20

Compare Source

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#​11315)

v2.2.19

Compare Source

• Fixed URL sanitizer to handle new GitHub personal access tokens format (#​11137)
  • Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#​11229)
  • Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#​11037)
  • Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0

v2.2.18

Compare Source

• Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#​10995)
  • Fixed duplicate missing extension warnings being displayed (#​10938)
  • Fixed hg version detection (#​10955)
  • Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#​11004)

v2.2.17

Compare Source

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
  • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
  • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
  • Fixed support for disable_functions containing disk_free_space (#​10936)
  • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

v2.2.16

Compare Source

• Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#​10920)
  • Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but plugins fully loaded (#​10920)
  • Fixed deprecation notice (#​10921)

v2.2.15

Compare Source

• Fixed support for cache-read-only where the filesystem is not writable (#​10906)
  • Fixed type error when using allow-plugins: true (#​10909)
  • Fixed @​putenv scripts receiving arguments passed to the command (#​10846)
  • Fixed support for spaces in paths with binary proxies on Windows (#​10836)
  • Fixed type error in GitDownloader if branches cannot be listed (#​10888)
  • Fixed RootPackageInterface issue on PHP 5.3.3 (#​10895)

v2.2.14

Compare Source

• Fixed handling of broken symlinks when checking whether a package is still installed (#​6708)
  • Fixed name validation regex in schema causing issues with JS IDEs like VS Code (#​10811)
  • Fixed bin proxies to allow a proxy to include another one safely (#​10823)
  • Fixed gitlab-token JSON schema definition (#​10800)
  • Fixed openssl 3.x version parsing as it is now semver compliant
  • Fixed type error when a json file cannot be read (#​10818)
  • Fixed parsing of multi-line arrays in funding.yml (#​10784)

v2.2.13

Compare Source

• Fixed invalid credentials loop when setting up GitLab token (#​10748)
  • Fixed PHP 8.2 deprecations (#​10766)
  • Fixed lock file changes being output even when the lock file creation is disabled
  • Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#​10763)
  • Fixed quoting of commas on Windows (#​10775)
  • Fixed issue installing path repos with a disabled symlink function (#​10786)

v2.2.12

Compare Source

• Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
  • Fixed curl downloader not retrying when a DNS resolution failure occurs (#​10716)
  • Fixed composer.lock file still being used/read when the lock config option is disabled (#​10726)
  • Fixed validate command checking the lock file even if the lock option is disabled (#​10723)

v2.2.11

Compare Source

• Added missing config.bitbucket-oauth in composer-schema.json
  • Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#​10682)
  • Updated semver, jsonlint deps for minor fixes
  • Fixed generation of autoload crashing if a package has a broken path (#​10688)
  • Removed dev-master=>dev-main alias from #​10372 as it does not work when reloading from lock file and extracting dev deps (#​10651)

v2.2.10

Compare Source

• Fixed Bitbucket authorization detection due to API changes (#​10657)
  • Fixed validate command warning about dist/source keys if defined (#​10655)
  • Fixed deletion/handling of corrupted 0-bytes zip archives (#​10666)

v2.2.9

Compare Source

• Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#​10621)

v2.2.8

Compare Source

• Fixed files autoloading sort order to be fully deterministic (#​10617)
  • Fixed pool optimization pass edge cases (#​10579)
  • Fixed require command failing when self.version is used as constraint (#​10593)
  • Fixed --no-ansi / undecorated output still showing color in repo warnings (#​10601)
  • Performance improvement in pool optimization step (composer/semver#131)

v2.2.7

Compare Source

• Allow installation together with composer/xdebug-handler ^3 (#​10528)
  • Fixed support for packages with no licenses in licenses command output (#​10537)
  • Fixed handling of allow-plugins: false which kept warning (#​10530)
  • Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#​10521)
  • Fixed author parsing in init command requiring an email whereas the schema allows a name only (#​10538)
  • Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#​10541)
  • Performance improvement in pool optimization step (#​10546)

v2.2.6

Compare Source

• BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed to COMPOSER_RUNTIME_BIN_DIR (#​10512)
  • Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#​10498)
  • Fixed package search not urlencoding the input (#​10500)
  • Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#​10514)
  • Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#​10482)
  • Fixed test suite compatibility with latest symfony/console releases (#​10499)
  • Fixed some error reporting edge cases (#​10484, #​10451, #​10493)

v2.2.5

Compare Source

• Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#​10458)
  • Fixed artifact repositories crashing if a phar file was present in the directory (#​10406)
  • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#​10468)
  • Fixed handling of non-string versions in package repositories metadata (#​10470)

v2.2.4

Compare Source

• Fixed handling of process timeout when running async processes during installation
  • Fixed GitLab API handling when projects have a repository disabled (#​10440)
  • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#​10434)
  • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#​10431)
  • Fixed support for sourcing binaries via the new bin proxies (#​10389)
  • Fixed messaging when GitHub tokens need SSO authorization (#​10432)

v2.2.3

Compare Source

• Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#​10387)
  • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#​10401)
  • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#336)
  • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#​10405)

v2.2.2

Compare Source

• Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#​10402)
  • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#​10387)
  • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#​10404)
  • Fixed UX of plugin warnings (#​10381)

v2.2.1

Compare Source

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
  • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
  • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
  • Fixed support for disable_functions containing disk_free_space (#​10936)
  • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

v2.2.0

Compare Source

• Added support for using dev-main as the default path repo package version if no VCS info is available (#​10372)
  • Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#​10371)
  • Fixed self-update failing in some edge cases due to loading plugins (#​10371)
  • Fixed display of conflicts showing the wrong package name in some conditions (#​10355)

v2.1.14

Compare Source

• Fixed invalid release build

v2.1.12

Compare Source

• Fixed issues in proxied binary files relying on FILE / DIR on php <8 (#​10261)
  • Fixed 9999999-dev being shown in some cases by the show command (#​10260)
  • Fixed GitHub Actions output escaping regression on PHP 8.1 (#​10250)

v2.1.11

Compare Source

• Fixed issues in proxied binary files when using declare() on php <8 (#​10249)
  • Fixed GitHub Actions output escaping issues (#​10243)

v2.1.10

Compare Source

• Added type annotations to all classes, which may have an effect on CI/static analysis for people using Composer as a dependency (#​10159)
  • Fixed CurlDownloader requesting gzip encoding even when no gzip support is present (#​10153)
  • Fixed regression in 2.1.6 where the help command was not working for plugin commands (#​10147)
  • Fixed warning showing when an invalid cache dir is configured but unused (#​10125)
  • Fixed require command reverting changes even though dependency resolution succeeded when something fails in scripts for example (#​10118)
  • Fixed require not finding the right package version when some newly required extension is missing from the system (#​10167)
  • Fixed proxied binary file issues, now using output buffering (e1dbd65)
  • Fixed and improved error reporting in several edge cases (#​9804, #​10136, #​10163, #​10224, #​10209)
  • Fixed some more Windows CLI parameter escaping edge cases

v2.1.9

Compare Source

• Security: Fixed command injection vulnerability on Windows (GHSA-frqg-7g38-6gcf / CVE-2021-41116)
  • Fixed classmap parsing with a new class parser which does not rely on regexes anymore (#​10107)
  • Fixed inline git credentials showing up in output in some conditions (#​10115)
  • Fixed support for running updates while offline as long as the cache contains enough information (#​10116)
  • Fixed show --all foo/bar which as of 2.0.0 was not showing all versions anymore but only the installed one (#​10095)
  • Fixed VCS repos ignoring some versions silently when the API rate limit is reached (#​10132)
  • Fixed CA bundle to remove the expired Let's Encrypt root CA

v2.1.8

Compare Source

• Fixed regression in 2.1.7 when parsing classmaps in files containing invalid Unicode (#​10102)

v2.1.7

Compare Source

• Added many type annotations internally, which may have an effect on CI/static analysis for people using Composer as a dependency. This work will continue in following releases
  • Fixed regression in 2.1.6 when parsing classmaps with empty heredocs (#​10067)
  • Fixed regression in 2.1.6 where list command was not showing plugin commands (#​10075)
  • Fixed issue handling package updates where the package type changed (#​10076)
  • Fixed docker being detected as WSL when run inside WSL (#​10094)

v2.1.6

Compare Source

• Updated internal PHAR signatures to be SHA512 instead of SHA1
  • Fixed uncaught exception handler regression (#​10022)
  • Fixed more PHP 8.1 deprecation warnings (#​10036, #​10038, #​10061)
  • Fixed corrupted zips in the cache from blocking installs until a cache clear, the bad archives are now deleted automatically on first failure (#​10028)
  • Fixed URL sanitizer handling of new github tokens (#​10048)
  • Fixed issue finding classes with very long heredocs in classmap autoload (#​10050)
  • Fixed proc_open being required for simple installs from zip, as well as diagnose (#​9253)
  • Fixed path repository bug causing symlinks to be left behind after a package is uninstalled (#​10023)
  • Fixed issue in 7-zip support on windows with certain archives (#​10058)
  • Fixed bootstrapping process to avoid loading the composer.json and plugins until necessary, speeding things up slightly (#​10064)
  • Fixed lib-openssl detection on FreeBSD (#​10046)
  • Fixed support for ircs:// protocol for support.irc composer.json entries

v2.1.5

Compare Source

• Fixed create-project creating a php: directory in the directory it was executed in (#​10020, #​10021)
  • Fixed curl downloader to respect default_socket_timeout if it is bigger than our default 300s (#​10018)

v2.1.4

Compare Source

• Fixed PHP 8.1 deprecation warnings (#​10008)
  • Fixed support for working within UNC/WSL paths on Windows (#​9993)
  • Fixed 7-zip support to also be looked up on Linux/macOS as 7z or 7zz (#​9951)
  • Fixed repositories' only/exclude properties to avoid matching names as sub-strings of full package names (#​10001)
  • Fixed open_basedir regression from #​9855
  • Fixed schema errors being reported incorrectly in some conditions (#​9986)
  • Fixed archive command not working with async archive extraction
  • Fixed init command being able to generate an invalid composer.json (#​9986)

---

• If you want to rebase/retry this PR, check this box