Bump the composer group across 1 directories with 3 updates

[dependabot]

Bumps the composer group with 3 updates in the /. directory: composer/composer, laminas/laminas-diactoros and phpseclib/phpseclib.

Updates composer/composer from 2.5.1 to 2.7.0

Release notes

Sourced from composer/composer's releases.

2.7.0

• Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
• Changed the default of the audit.abandoned config setting to fail, set it to report or ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
• Added --minimal-changes (-m) flag to update/require/remove commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#11665)
• Added --sort-by-age (-A) flag to outdated/show commands to allow sorting by and displaying the release date (most outdated first) (#11762)
• Added support for --self combined with --installed or --locked in show command, to add the root package to the package list being output (#11785)
• Added severity information to audit command output (#11702)
• Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
• Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force IPv4 or IPv6, set it to 4 or 6 (#11791)
• Added support for wildcards in outdated's --ignore arg (#11831)
• Added support for bump command bumping * to >=current version (#11694)
• Added detection of constraints that cannot possibly match anything to validate command (#11829)
• Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
• Added audit of Composer's own bundled dependencies in diagnose command (#11761)
• Added GitHub token expiration date to diagnose command output (#11688)
• Added non-zero status code to why/why-not commands (#11796)
• Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
• Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
• Fixed bump command not bumping packages required with a v prefix (#11764)
• Fixed automatic disabling of plugins when running non-interactive as root
• Fixed update --lock not keeping the dist reference/url/checksum pinned (#11787)
• Fixed require command crashing at the end if no lock file is present (#11814)
• Fixed root aliases causing problems when auditing locked dependencies (#11771)
• Fixed handling of versions with 4 components in require command (#11716)
• Fixed compatibility issues with Symfony 7
• Fixed composer.json remaining behind after a --dry-run of the require command (#11747)
• Fixed warnings being shown incorrectly under some circumstances (#11786, #11760, #11803)

2.6.6

• Fixed symfony/console requirement to exclude 7.x as Composer 2.6 is not compatible, 2.7 will be (#11741)
• Fixed libpq parsing to use the global constant if available (#11684)
• Fixed error output when updating with a temporary constraint fails (#11692)

2.6.5

• Fixed error when vendor dir contains broken symlinks (#11670)
• Fixed composer.lock missing from Composer's zip archives (#11674)
• Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8)

2.6.4

• Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
• Fixed json output of abandoned packages in audit command (#11647)
• Fixed autoloader suffix to reuse the content-hash from lock file if available to make for more reproducible builds by default (#11663)
• Performance improvement in pool optimization step (#11638)
• Performance improvement in show -a <packagename> (#11659)

2.6.3

• Added audit.abandoned config setting. Can be set to ignore, report (current default) or fail (future default in 2.7) to make the audit command report abandoned packages as a security problem (#11639)
• Added a warning when duplicates files autoload rules are detected (#11109)
• Fixed unhandled promise rejection regression (#11620)
• Fixed loading of root aliases on path repo packages when doing partial updates (#11632)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.7.0] 2024-02-08

• Security: Fixed code execution and possible privilege escalation via compromised vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
• Changed the default of the audit.abandoned config setting to fail, set it to report or ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643)
• Added --minimal-changes (-m) flag to update/require/remove commands to perform partial update with --with-dependencies while changing only what is absolutely necessary in transitive dependencies (#11665)
• Added --sort-by-age (-A) flag to outdated/show commands to allow sorting by and displaying the release date (most outdated first) (#11762)
• Added support for --self combined with --installed or --locked in show command, to add the root package to the package list being output (#11785)
• Added severity information to audit command output (#11702)
• Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666)
• Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force IPv4 or IPv6, set it to 4 or 6 (#11791)
• Added support for wildcards in outdated's --ignore arg (#11831)
• Added support for bump command bumping * to >=current version (#11694)
• Added detection of constraints that cannot possibly match anything to validate command (#11829)
• Added package source information to the output of install when running in very verbose (-vv) mode (#11763)
• Added audit of Composer's own bundled dependencies in diagnose command (#11761)
• Added GitHub token expiration date to diagnose command output (#11688)
• Added non-zero status code to why/why-not commands (#11796)
• Added error when calling show --direct <package> with an indirect/transitive dependency (#11728)
• Added COMPOSER_FUND=0 env var to hide calls for funding (#11779)
• Fixed bump command not bumping packages required with a v prefix (#11764)
• Fixed automatic disabling of plugins when running non-interactive as root
• Fixed update --lock not keeping the dist reference/url/checksum pinned (#11787)
• Fixed require command crashing at the end if no lock file is present (#11814)
• Fixed root aliases causing problems when auditing locked dependencies (#11771)
• Fixed handling of versions with 4 components in require command (#11716)
• Fixed compatibility issues with Symfony 7
• Fixed composer.json remaining behind after a --dry-run of the require command (#11747)
• Fixed warnings being shown incorrectly under some circumstances (#11786, #11760, #11803)

[2.6.6] 2023-12-08

• Fixed symfony/console requirement to exclude 7.x as Composer 2.6 is not compatible, 2.7 will be (#11741)
• Fixed libpq parsing to use the global constant if available (#11684)
• Fixed error output when updating with a temporary constraint fails (#11692)

[2.6.5] 2023-10-06

• Fixed error when vendor dir contains broken symlinks (#11670)
• Fixed composer.lock missing from Composer's zip archives (#11674)
• Fixed AutoloadGenerator::dump() non-BC signature change in 2.6.4 (cb363b0e8)

[2.6.4] 2023-09-29

• Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
• Fixed json output of abandoned packages in audit command (#11647)
• Performance improvement in pool optimization step (#11638)
• Performance improvement in show -a <packagename> (#11659)

[2.6.3] 2023-09-15

... (truncated)

Commits

• 96d107e Release 2.7.0
• eea73da Update changelog
• 64e4eb3 Merge pull request from GHSA-7c6p-848j-wh5h
• 7442981 Add flag alias to docs
• 7a6bb18 Adds a test for no dev (#11833)
• 67d80e1 Fix php7.2
• df8f9f0 Update tests
• 754f286 Add non-zero return codes when why-not finds a reason a package is not instal...
• 7cb92a9 Introduce COMPOSER_AUDIT_ABANDONED env var (#11794)
• e0807d3 Diagnose command: Add GitHub OAuth token expiration date information (#11688)
• Additional commits viewable in compare view

Updates laminas/laminas-diactoros from 2.24.0 to 2.26.0

Release notes

Sourced from laminas/laminas-diactoros's releases.

2.26.0

Release Notes for 2.26.0

Feature release (minor)

2.26.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Enhancement

• 176: Update PHP constraints to allow v8.3 thanks to @​ADmad

2.25.1

Release Notes for 2.25.1

2.25.x bugfix release (patch)

2.25.1

• Total issues resolved: 0

• Total pull requests resolved: 1

• Total contributors: 1

• 138: Merge release 2.24.1 into 2.25.x thanks to @​github-actions[bot]

2.25.0

Release Notes for 2.25.0

Added

Adds support for the PSR-7 v1.1 release.

2.25.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 2

Enhancement

• 133: Allow usage with PSR-7 v1.1 thanks to @​weierophinney

Review Needed,renovate

• 130: Lock file maintenance thanks to @​renovate[bot]

2.24.1

... (truncated)

Commits

• 6584d44 Merge pull request #176 from ADmad/2.26.x
• 50dc954 Update PHP constraints to allow v8.3
• 39811fb Lock file maintenance
• 800f287 Lock file maintenance
• cf8a441 Lock file maintenance
• 7e721a6 Merge pull request from GHSA-xv3h-4844-9h36
• 2bc0d0b security: strict match regex start/end
• 79fdb15 Lock file maintenance
• 7f05862 Merge pull request #139 from laminas/2.25.x-merge-up-into-2.26.x_FwrpcKWF
• 13f45e5 Merge pull request #138 from laminas/2.24.x-merge-up-into-2.25.x_sar9mpV4
• Additional commits viewable in compare view

Updates phpseclib/phpseclib from 3.0.21 to 3.0.35

Release notes

Sourced from phpseclib/phpseclib's releases.

3.0.35

• SSH2: implement terrapin attack countermeasures (#1972)
• SSH2: only capture login info once (#1970)
• Crypt/AsymmetricKey: loading hidden custom key plugins didn't work (#1971)

3.0.34

• SSH2: add support for RFC8308 (#1960)
• SSH2: don't use AES GCM for TurboFTP Server (#1957)
• SSH2: reset more internal variables when connection is reset (#1961)
• PKCS8: PBES1 / RC2 and PBES2 / DES keys didn't work (#1958)
• EC/Signature/Format: add new IEEE format (#1956)
• Math/BigInteger/Engines/PHP: PHP 8.2.13+ fixes Windows JIT issue
• Math/BinaryField: fix for excessively large degrees (CVE-2023-49316)
• Math/PrimeField: fix occasional error with squareRoot method

3.0.33

• SSH2: fix for PHP 7.3 (#1953)
• Crypt: improve ARM detection code (#1949)
• Rijndael: fix for PHP 8.3+ compatability (#1944)
• X509: fix for weird characters in subjaltname (#1943)
• move JIT check to BigInteger (#1942)

3.0.23

• fix "Undefined index: jit" error on Windows (#1940)

3.0.22

• SFTP: make it so SFTP::RESUME also sets offset of local file (#1921)
• SFTP: RESUME_START didn't work as described (#1921)
• SFTP: fix SFTPv2 errors when logging errors (#1933)
• SFTP: fix issue with get() downloading to files / streams (#1934)
• BigInteger: use GMP if available (#1928)
• Rijndael: fix E_DEPRECATED (#1935)
• improve PHP32 compatibility (#1931)

Changelog

Sourced from phpseclib/phpseclib's changelog.

3.0.35 - 2023-12-18

• SSH2: implement terrapin attack countermeasures (#1972)
• SSH2: only capture login info once (#1970)
• Crypt/AsymmetricKey: loading hidden custom key plugins didn't work (#1971)

3.0.34 - 2023-11-27

• SSH2: add support for RFC8308 (#1960)
• SSH2: don't use AES GCM for TurboFTP Server (#1957)
• SSH2: reset more internal variables when connection is reset (#1961)
• PKCS8: PBES1 / RC2 and PBES2 / DES keys didn't work (#1958)
• EC/Signature/Format: add new IEEE format (#1956)
• Math/BigInteger/Engines/PHP: PHP 8.2.13+ fixes Windows JIT issue
• Math/BinaryField: fix for excessively large degrees (CVE-2023-49316)
• Math/PrimeField: fix occasional error with squareRoot method

3.0.33 - 2023-10-21

• SSH2: fix for PHP 7.3 (#1953)
• Crypt: improve ARM detection code (#1949)
• Rijndael: fix for PHP 8.3+ compatability (#1944)
• X509: fix for weird characters in subjaltname (#1943)
• move JIT check to BigInteger (#1942)

3.0.23 - 2023-09-18

• fix "Undefined index: jit" error on Windows (#1940)

3.0.22 - 2023-09-15

• SFTP: make it so SFTP::RESUME also sets offset of local file (#1921)
• SFTP: RESUME_START didn't work as described (#1921)
• SFTP: fix SFTPv2 errors when logging errors (#1933)
• SFTP: fix issue with get() downloading to files / streams (#1934)
• BigInteger: use GMP if available (#1928)
• Rijndael: fix E_DEPRECATED (#1935)
• improve PHP32 compatibility (#1931)

Commits

• 4b1827b Merge branch '2.0' into 3.0
• 498e67a Merge branch '1.0' into 2.0
• db27873 CHANGELOG: add 1.0.22 release
• 80bc33b Merge branch '2.0' into 3.0
• 542a044 Merge branch '1.0' into 2.0
• c8e3ab9 SSH2: implement terrapin attack countermeasures
• 4bdfec9 Crypt/AsymmetricKey: loading hidden custom key plugins didn't work
• d2cd758 Merge branch '2.0' into 3.0
• 90de8f1 Merge branch '1.0' into 2.0
• 23f117e SSH2: only capture login info once
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.