Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed #239
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^2.2.0
->^2.2.12
GitHub Vulnerability Alerts
CVE-2022-24828
The Composer method
VcsDriver::getFileContent()
with user-controlled$file
or$identifier
arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json
readme
field as a vector for injecting parameters into the$file
argument for the Mercurial driver or via the$identifier
argument for the Git and Mercurial drivers.Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.
To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.
Release Notes
composer/composer
v2.2.12
Compare Source
lock
config option is disabled (#10726)validate
command checking the lock file even if thelock
option is disabled (#10723)v2.2.11
Compare Source
self-update
to pin the Composer version to the 2.2 LTS range (#10682)v2.2.10
Compare Source
v2.2.9
Compare Source
v2.2.8
Compare Source
files
autoloading sort order to be fully deterministic (#10617)require
command failing whenself.version
is used as constraint (#10593)v2.2.7
Compare Source
licenses
command output (#10537)allow-plugins: false
which kept warning (#10530)init
command requiring an email whereas the schema allows a name only (#10538)require
command when requiring packages which do not exist (but are provided by something else you require) (#10541)v2.2.6
Compare Source
COMPOSER_BIN_DIR
env var for binaries added in Composer 2.2.2 had to be renamed toCOMPOSER_RUNTIME_BIN_DIR
(#10512)enum foo:string
without space after:
(#10498)reinstall
command not firingpre-install-cmd
/post-install-cmd
events (#10514)v2.2.5
Compare Source
composer/package-versions-deprecated
by default as it can function usingComposer\InstalledVersions
at runtime (#10458)v2.2.4
Compare Source
v2.2.3
Compare Source
v2.2.2
Compare Source
COMPOSER_BIN_DIR
env var and_composer_bin_dir
global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with$BASH_SOURCES[0]
will need to update their binaries (#10402)v2.2.1
Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Read more about the use of Renovate Bot within
ocramius/*
projects.