2.6.0

• Added audit.ignore config setting to ignore security advisories by id or CVE id (#11556, #11605)
• Added rm alias to the remove command (#11367)
• Added runtime platform check to verify the php-64bit requirement is met (#11334)
• Added platform package detection for lib-pq-libpq and lib-rdkafka-librdkafka (#11418)
• Added --dry-run to dump-autoload command to allow running --strict-psr checks without modifying the filesystem (#11608)
• Added support for bumping patch level in ~1.2.3 constraints (#11590)
• Added prompt in require if the package name is not found but similar ones exist (#11284)
• Added support for env vars and ~ in repository paths for vcs and artifact repositories (#11453)
• Added support for local directory paths for repositories of type composer (#11526)
• Added links to package homepages in why/why-not command output (#11308)
• Added a security key to the support key of composer.json to set the URL to the vulnerability disclosure policy (#11271)
• Added support for gathering security advisories from multiple repositories for a single package (#11436)
• Bumped the composer-plugin-api version to 2.6.0
• Fixed install exit code to be non-zero (5) if a requested security audit failed (#11362)
• Fixed binary proxies causing scripts inspecting $_SERVER['SCRIPT_NAME'] to detect them, they are now more transparent (#11562) (Reverted in 2.6.2)
• Fixed executability of non-php binaries which are not marked executable (#11557) (Reverted in 2.6.1)
• Fixed mtime modification of the vendor dir to only happen when packages are modified, and not require lock file modification to happen (#11593)
• Fixed create-project using the wrong composer.json file if one was set via the COMPOSER env var (#11493)
• Fixed json editing to preserve indentation when updating json files (#11390)
• Fixed handling of broken junctions on windows (#11550)
• Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
• Fixed svn repo parsing in some edge cases (#11350)
• Fixed handling of archive URLs without file extension (#11520)
• Performance improvement in pool optimization step (#11449, #11450)

2.5.8

• Fixed regression in edge cases where root package gets added to a repository already during the install process (#11495)
• Fixed EventDispatcher on windows picking bat files when using @php binary (#11490)
• Fixed ICU CDLR version parsing failing the whole process when ICU cannot initialize the resource bundle (#11492)
• Fixed type declarations on ClassLoader (#11500)

2.5.7

• Fixed regression preventing autoloading the dependencies of metapackages when running --no-dev (#11481)

2.5.6

• BC Warning: Installers and InstallationManager::getInstallPath will now return null instead of an empty string for metapackages' paths. This may have adverse effects on plugin code using this expecting always a string but it is unlikely (#11455)
• Fixed metapackages showing their install path as the root package's path instead of empty (#11455)
• Fixed lock file verification on install to deal better with replace/provide (#11475)
• Fixed lock file having a more recent modification time than the vendor dir when require guesses the constraint after resolution (#11405)
• Fixed numeric default branches with a v prefix being treated as non-numeric ones and receiving an alias like e.g. dev-main would (e51d755)
• Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
• Fixed support for plugin classes being marked as readonly (#11404)
• Fixed getmypid being required as it is not always available (#11401)
• Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)

2.5.5

• Fixed basic auth failures resulting in infinite retry loop (#11320)
• Fixed GitHub rate limit reporting (#11366)
• Fixed InstalledVersions error in Composer 1 compatibility edge case (#11304)
• Fixed issue displaying solver problems with branch names containing % signs (#11359)
• Fixed race condition in cache validity detection when running Composer highly concurrently (#11375)
• Fixed various minor config command issues (#11353, #11302)

2.5.4

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11318)

2.2.21

• Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)

2.5.3

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#11315)

2.2.20

• Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when running non-interactive (#11315)

2.5.2

• Added warning when require auto-selects a feature branch as that is probably not desired (#11270)
• Fixed self.version requirements reporting lock file integrity errors when changing branches (#11283)
• Fixed require regression which broke the --fixed flag (#11247)
• Fixed security audit reports loading when exclude/only filter rules are used on a repository (#11281)
• Fixed autoloading regression on PHP 5.6 (#11285)
• Fixed archive command including an existing archive into itself if run repeatedly (#11239)
• Fixed dev package prompt in require not appearing in some conditions (#11287)