Composer 2.4 Release

Auditing dependencies for known security vulnerabilities

Staying on top of disclosed security vulnerabilities in dependencies is a constant challenge. There are many monitoring solutions created to help track the security status of your dependencies. We offer our own Private Packagist Security Monitoring to notify customers through various channels, but not every project can benefit from these solutions.

We are happy to announce that Composer now offers warnings about insecure dependency versions out of the box as part of every composer update (you can turn it off where it does not matter with --no-audit). On install you can get the same warnings, too, with the --audit option. By default, audit on installis off to improve performance, because most installs run automatically without anyone looking at their output, and you can get the information when manually editing the lock file with update.

Additionally, You can use the new audit command to view a list of all security advisories affecting any of the installed dependencies. The command is particularly helpful when trying to inspect an old project's dependencies.

See #10798 and #10898

Support for bash completions

Bash completions allow you to use tab completion for composer commands in your terminal. This requires a couple of manual setup steps but is well worth doing.

Once set up, typing composer upd[tab] for example will complete to composer update. Pressing [tab] again will then show you a list of package names that you have installed and could be updated. This also works for require when looking for new package names, as well as many other commands, arguments and option names.

See #10320

Bumping your version constraints more easily

The new bump command lets you increase your requirements to match the versions currently installed. For example, if you require package "foo/bar": "^1" – but you currently have foo/bar 1.5.3 installed – running composer bump foo/bar will update your composer.json requirement to "foo/bar": "^1.5.3".

Bumping requirements ensures dependencies do not later downgrade due to a conflict with a new dependency or an incompatibility among newer releases of existing dependencies. As a small bonus it can make dependency resolution faster as Composer can safely skip older releases without having to consider them for potential installation.

Please be cautious though, if you have open source libraries you should keep your requirements as broad as possible to avoid dependency hell for your users. For this reason we do not recommend using bump on libraries without the --dev-only flag, and any project where the composer.json type is not set to project will warn you about this.

You can bump a single package or a set of packages with the same pattern as partial update command calls, i.e. composer bump foo/bar baz/* *lala* will bump packages foo/bar as well as all packages matching the baz/* and *lala* patterns.

See #10829

Find out about other minor features and bugfixes in the complete changelog.