Composer 2.3 Release

Modernizing Composer internals

As announced in the 2.2 release notes, Composer 2.3 increases the required PHP version to >=7.2.5 and thus stops supporting PHP 5.3.2 - 7.2.4. The 2.2 LTS is still there for users stuck on older PHP versions.

This move allowed us to modernize the code quite a bit, but it does come with a few BC breaks for people integrating with Composer at the PHP level:

  • Added scalar parameter types where possible, this should not break anything as PHP 7.2 contravariance allows this.
  • Added native return types where possible. This will break code that extends ours and does not declare the same return types. For this reason, our most extended/implemented symbols ┬áhave not been modified to retain BC: Composer\IO*, Composer\Installer*, Composer\Autoload\ClassLoader, Composer\InstalledVersions, Composer\Plugin*, Composer\Repository*, Composer\Util\{Filesystem,HttpDownloader,RemoteFilesystem} and a few select others. Hopefully this avoids most breakage, but we may still see some extensions break. If you can fix these breakages by adding return types and move on that would be the preferred way, but if they are breaking widely used plugins or others which cannot easily be updated everywhere they're used we will rollback those return type additions as needed. Let us know.
  • Added visibility to all constants, a few internal ones have been made private/protected, if this causes problems please report it ASAP so we can fix.
  • The minimum supported Symfony components version is now 5.4, this only affects you if you are requiring composer/composer directly however, which is generally frowned upon.
  • Added declare(strict_types=1) to all Composer files, which will surely cause regressions in edge cases we do not cover with tests. Please report if you encounter any TypeError.

An appeal to Plugin authors & integrators

This release ideally should have been a 3.0 allowing us to break things a bit further. However the 2.0 release caused much pain throughout the ecosystem as it required all plugins' requires to be updated, so we wanted to avoid doing this again so soon.

That said, if you are an integrator and want to help us avoid issues in the future I would please ask that you make sure to declare native return types on all classes implementing/extending Composer classes. You can do that by following the @return types we have defined. If everyone does this it gives us a chance to one day be able to also add the native types in Composer itself without breaking anything.

Another few things of note for integrators is that as of composer-plugin-api 2.3.0 you now have access to:

  • symfony/process 5.4 and the updated Composer\Util\ProcessExecutor which allows you to pass commands as arrays instead of strings. This is generally safer as escaping will be done for you for every parameter/argument, so you should make use of it where possible. See #10435
  • symfony/console 5.4 which includes full color support as well as support for clickable links in the terminal. See #10430 for some examples.

More performance

We are not able to do huge performance improvements anymore at this point but still a few areas should be better:

  • The pool optimization step introduced in 2.2.0 was sped up further.
  • The Composer bootstrapping (specifically the version guessing) when running Composer on a feature branch is now faster thanks to git process parallelization.

Find out about other minor features and bugfixes in the complete changelog.