Composer 2.2 Release

LTS / Long Term Support

The 2.2 minor release is an LTS (Long Term Support) release. We will provide bugfixes for critical bugs and security issues until at least the end of 2023, and will then reassess based on remaining usage.

The reason we are doing this is that after over 10 years stuck with a PHP 5.3 requirement, Composer 2.3 will increase the required PHP version to >=7.2.5 and thus stop supporting PHP 5.3.2 - 7.2.4. If you are downloading snapshot builds directly (from on PHP versions <7.2.5 this may impact you negatively very soon, see #10341 for more details.

According to our usage metrics requiring PHP >=7.2.5 should leave under 10% of users stuck on Composer 2.2 LTS until they can upgrade their PHP version. With PHP 7.1 reaching EOL more than 2 years ago it is already past time for everyone using 7.1 or below to upgrade.

Performance improvements

A new optimization pass was added to reduce the amount of redundant packages/versions inspected during dependency resolution. This drastically improves memory and CPU usage, in some cases up to 90% reduction. In other cases, especially those which were fast already, the improvements are negligible and not really noticeable. (PRs #9261, #9620)

Optimizer output is visible when using -vv

More secure plugin execution

The new allow-plugins config value enhances security for Composer runtime plugin execution. Composer will now prompt you the first time you use a plugin to be sure that no package can run code during a Composer run if you do not trust it. Of course, after installation a malicious package could still execute code but at least this gives you time to review new dependencies in your lock file.

Please beware, the prompt may hang CI/build pipelines if they aren't using the --no-interaction (-n) option, as they should. (PR #10314)

--ignore-platform-req improvements

Several additions were made to platform config and platform requirement handling in general:

  • Added wildcard support to --ignore-platform-req (e.g. ext-* will ignore all extensions in one go, but retain php and other platform requirements) (PR #10083)
  • Added support for ignoring the upper bound of platform requirements using "name+" notation, e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (PR #10318)
  • Added support for setting platform packages to false in config.platform to disable/hide them if you have extensions installed locally which are not available in production and you want to avoid risking adding a package which requires it. That said using the check-platform-reqs command in your pre-deployment checks is the safest way to avoid accidents in prod. (PR #10308),
    e.g. {"config": {"platform": {"ext-foobar": false}}}

Files autoloading support for plugins

When plugins are executed, an autoloader is created and immediatley loaded while executing Composer. This allows autoloading the plugin as well as its dependencies. Previously files autoload rules were not included in this runtime autoloader because initially lots of these files did not support being included multiple times. But this is not representative of the ecosystem anymore, so we lifted this restriction. The change may however cause issues for some projects which have files autoload rules which do unexpected things. This is not ideal but hopefully any issue cropping up here will be promptly fixed. (PR #10065)

Find out about other minor features and bugfixes in the complete changelog.