composer

Composer 2.9 Release

Jordi Boggiano

1 min read
Composer 2.9 Release

We are pleased to announce the release of Composer 2.9.0, bringing improvements to security, repository management from the CLI, and lots more.

Automatic Security Blocking

Composer now automatically blocks updates to packages with known security advisories. This protection is enabled by default and prevents you from accidentally updating to vulnerable package versions. You can configure this behavior via the new audit.block-insecure config settings if needed.

This feature complements the existing composer audit command that you can run on an existing composer.lock file to receive a report on whether any of the packages currently installed contain known vulnerabilities.

Optionally, you can also block abandoned packages via audit.block-abandoned . This is not enabled by default.

See #11956

New Repository Command

Managing repositories just got easier with the new repository command. Add, remove, or update repositories directly from the command line without manually editing your composer.json. Repositories are now stored as a JSON array by default with name properties for better addressing and organization.

composer repo list
composer repo add foo vcs https://github.com/acme/foo
composer repo add bar composer https://repo.packagist.com/bar
composer repo add qux vcs https://example.org --after bar
composer repo remove foo
composer repo set-url foo https://git.example.org/acme/foo

See #12388

Automatic Lock File Conflict Recovery

Composer now automatically recovers from simple lock file conflicts during updates. If only the content-hash property has a conflict, you can run update --lock or re-apply an update of some package and it will read the lock file while ignoring the git conflict markers.

See #11517

Other Notable Improvements

  • Minimal Changes Updates: New --minimal-changes flag for full updates that only modifies packages necessary to satisfy changed constraints #12349
  • Forgejo/Codeberg Support: Native support for Forgejo repositories #12307
  • Performance: Improved script handler performance through reduced autoloader creation, added HTTP/3 support

Find out about other features and bugfixes in the complete changelog.