Update dependency composer/composer to ^2.2.12 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
composer/composer (source)	require-dev	patch	^2.2.0 -> ^2.2.12

GitHub Vulnerability Alerts

CVE-2022-24828

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json readme field as a vector for injecting parameters into the $file argument for the Mercurial driver or via the $identifier argument for the Git and Mercurial drivers.

Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.

To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.

---

Release Notes

composer/composer

v2.2.12

Compare Source

• Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
  • Fixed curl downloader not retrying when a DNS resolution failure occurs (#​10716)
  • Fixed composer.lock file still being used/read when the lock config option is disabled (#​10726)
  • Fixed validate command checking the lock file even if the lock option is disabled (#​10723)

v2.2.11

Compare Source

• Added missing config.bitbucket-oauth in composer-schema.json
  • Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#​10682)
  • Updated semver, jsonlint deps for minor fixes
  • Fixed generation of autoload crashing if a package has a broken path (#​10688)
  • Removed dev-master=>dev-main alias from #​10372 as it does not work when reloading from lock file and extracting dev deps (#​10651)

v2.2.10

Compare Source

• Fixed Bitbucket authorization detection due to API changes (#​10657)
  • Fixed validate command warning about dist/source keys if defined (#​10655)
  • Fixed deletion/handling of corrupted 0-bytes zip archives (#​10666)

v2.2.9

Compare Source

• Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#​10621)

v2.2.8

Compare Source

• Fixed files autoloading sort order to be fully deterministic (#​10617)
  • Fixed pool optimization pass edge cases (#​10579)
  • Fixed require command failing when self.version is used as constraint (#​10593)
  • Fixed --no-ansi / undecorated output still showing color in repo warnings (#​10601)
  • Performance improvement in pool optimization step (composer/semver#​131)

v2.2.7

Compare Source

• Allow installation together with composer/xdebug-handler ^3 (#​10528)
  • Fixed support for packages with no licenses in licenses command output (#​10537)
  • Fixed handling of allow-plugins: false which kept warning (#​10530)
  • Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#​10521)
  • Fixed author parsing in init command requiring an email whereas the schema allows a name only (#​10538)
  • Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#​10541)
  • Performance improvement in pool optimization step (#​10546)

v2.2.6

Compare Source

• BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed to COMPOSER_RUNTIME_BIN_DIR (#​10512)
  • Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#​10498)
  • Fixed package search not urlencoding the input (#​10500)
  • Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#​10514)
  • Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#​10482)
  • Fixed test suite compatibility with latest symfony/console releases (#​10499)
  • Fixed some error reporting edge cases (#​10484, #​10451, #​10493)

v2.2.5

Compare Source

• Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#​10458)
  • Fixed artifact repositories crashing if a phar file was present in the directory (#​10406)
  • Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#​10468)
  • Fixed handling of non-string versions in package repositories metadata (#​10470)

v2.2.4

Compare Source

• Fixed handling of process timeout when running async processes during installation
  • Fixed GitLab API handling when projects have a repository disabled (#​10440)
  • Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#​10434)
  • Fixed partial update issues with path repos missing if a path repo is required by a path repo (#​10431)
  • Fixed support for sourcing binaries via the new bin proxies (#​10389)
  • Fixed messaging when GitHub tokens need SSO authorization (#​10432)

v2.2.3

Compare Source

• Fixed issue with PHPUnit and process isolation now including PHPUnit <6.5 (#​10387)
  • Fixed interoperability issue with laminas/laminas-zendframework-bridge and Composer 2.2 (#​10401)
  • Fixed binary proxies for shell scripts to work correctly when they are symlinked (jakzal/phpqa#​336)
  • Fixed overly greedy pool optimization in cases where a locked package is not required by anything anymore in a partial update (#​10405)

v2.2.2

Compare Source

• Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with $BASH_SOURCES[0] will need to update their binaries (#​10402)
  • Fixed issue when new binary proxies are combined with PHPUnit and process isolation (#​10387)
  • Fixed deprecation warnings when using Symfony 5.4+ and requiring composer/composer itself (#​10404)
  • Fixed UX of plugin warnings (#​10381)

v2.2.1

Compare Source

• Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target directory is outside of CWD (#​10935)
  • Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if not in allow-plugins, as they are anyway not loaded (#​10928)
  • Fixed pre-install check for allowed plugins not taking --no-plugins into account (#​10925)
  • Fixed support for disable_functions containing disk_free_space (#​10936)
  • Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#​10940)

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Read more about the use of Renovate Bot within ocramius/* projects.