Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the composer group across 1 directory with 3 updates #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the composer group across 1 directory with 3 updates #4

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jun 10, 2024

Bumps the composer group with 3 updates in the / directory: composer/composer, guzzlehttp/psr7 and symfony/http-kernel.

Updates composer/composer from 2.4.1 to 2.7.7

Release notes

Sourced from composer/composer's releases.

2.7.7

This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion, reported by Splitline Huang (3130a7455, 04a63b324)
  • Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
  • Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
  • Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
  • Fixed ability for config command to remove autoload keys (#11967)
  • Fixed empty type support in init command (#11999)
  • Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
  • Fixed regression showing network errors on PHP <8.1 (#11974)
  • Fixed some color bleed from a few warnings (#11972)

Full Changelog: composer/composer@2.7.6...2.7.7

2.7.6

  • Fixed regression when script handlers add an autoloader which uses a private callback (#11960)

2.7.5

  • Added uninstall alias to remove command (#11951)
  • Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
  • Fixed root usage warnings showing up within Podman containers (#11946)
  • Fixed config command not handling objects correctly in some conditions (#11945)
  • Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
  • Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
  • Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)

2.7.4

  • Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)

As a side-note, requiring composer/composer is frowned upon and should really only be done in circumstances where it is absolutely necessary, and ideally you should talk to us first to see if we can't help avoid it or help by extracting some code in a smaller library.

2.7.3

  • BC Warning: Fixed https_proxy env var falling back to http_proxy's value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#11915)
  • Fixed show and outdated commands to remove leading v in e.g. v1.2.3 when showing lists of packages (#11925)
  • Fixed audit command not showing any id when no CVE is present, the advisory ID is now shown (#11892)
  • Fixed the warning about a missing default version showing for packages with project type as those are typically not versioned and do not have cyclic dependencies (#11885)
  • Fixed PHP 8.4 deprecation warnings
  • Fixed clear-cache command to respect the config.cache-dir setting from the local composer.json (#11921)
  • Fixed status command not handling failed download/install promises correctly (#11889)
  • Added support for buy_me_a_coffee in GitHub funding files (#11902)
  • Added hg support for SSH urls (#11878)
  • Fixed some env vars with an integer value causing a crash (#11908)
  • Fixed context data not being output when using IOInterface as a PSR-3 logger (#11882)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.7.7] 2024-06-10

  • Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
  • Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
  • Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
  • Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
  • Security: Fixed perforce argument escaping (3773f775)
  • Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
  • Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion (3130a7455, 04a63b324)
  • Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
  • Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
  • Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
  • Fixed ability for config command to remove autoload keys (#11967)
  • Fixed empty type support in init command (#11999)
  • Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
  • Fixed regression showing network errors on PHP <8.1 (#11974)
  • Fixed some color bleed from a few warnings (#11972)

[2.7.6] 2024-05-04

  • Fixed regression when script handlers add an autoloader which uses a private callback (#11960)

[2.7.5] 2024-05-03

  • Added uninstall alias to remove command (#11951)
  • Added workaround for broken curl versions 8.7.0/8.7.1 causing transport exceptions (#11913)
  • Fixed root usage warnings showing up within Podman containers (#11946)
  • Fixed config command not handling objects correctly in some conditions (#11945)
  • Fixed binary proxies not containing the correct path if the project dir is a symlink (#11947)
  • Fixed Composer autoloader being overruled by project autoloaders when they are loaded by event handlers (scripts/plugins) (#11955)
  • Fixed TransportException (http failures) not having a distinct exit code, should now exit with 100 as code (#11954)

[2.7.4] 2024-04-22

  • Fixed regression (Call to undefined method ProxyManager::needsTransitionWarning()) with projects requiring composer/composer in an pre-2.7.3 version (#11943, #11940)

[2.7.3] 2024-04-19

  • BC Warning: Fixed https_proxy env var falling back to http_proxy's value, this is still in place but with a warning for now, and https_proxy can now be set empty to remove the fallback. Composer 2.8.0 will remove the fallback so make sure you heed the warnings (#11915)
  • Fixed show and outdated commands to remove leading v in e.g. v1.2.3 when showing lists of packages (#11925)
  • Fixed audit command not showing any id when no CVE is present, the advisory ID is now shown (#11892)
  • Fixed the warning about a missing default version showing for packages with project type as those are typically not versioned and do not have cyclic dependencies (#11885)
  • Fixed PHP 8.4 deprecation warnings
  • Fixed clear-cache command to respect the config.cache-dir setting from the local composer.json (#11921)
  • Fixed status command not handling failed download/install promises correctly (#11889)
  • Added support for buy_me_a_coffee in GitHub funding files (#11902)
  • Added hg support for SSH urls (#11878)
  • Fixed some env vars with an integer value causing a crash (#11908)
  • Fixed context data not being output when using IOInterface as a PSR-3 logger (#11882)

... (truncated)

Commits

Updates guzzlehttp/psr7 from 2.4.1 to 2.6.2

Release notes

Sourced from guzzlehttp/psr7's releases.

2.6.2

Fixed

  • Fixed another issue with the fact that PHP transforms numeric strings in array keys to ints

Changed

  • Updated links in docs to their canonical versions
  • Replaced call_user_func* with native calls

See also the change log for changes.

2.6.1

See change log for changes.

2.6.0

See change log for changes.

2.5.1

See change log for changes.

2.5.0

See change log for changes.

2.4.5

See change log for changes.

2.4.4

See change log for changes.

2.4.3

See change log for changes.

2.4.2

See change log for changes.

Changelog

Sourced from guzzlehttp/psr7's changelog.

2.6.2 - 2023-12-03

Fixed

  • Fixed another issue with the fact that PHP transforms numeric strings in array keys to ints

Changed

  • Updated links in docs to their canonical versions
  • Replaced call_user_func* with native calls

2.6.1 - 2023-08-27

Fixed

  • Properly handle the fact that PHP transforms numeric strings in array keys to ints

2.6.0 - 2023-08-03

Changed

  • Updated the mime type map to add some new entries, fix a couple of invalid entries, and remove an invalid entry
  • Fallback to application/octet-stream if we are unable to guess the content type for a multipart file upload

2.5.1 - 2023-08-03

Fixed

  • Corrected mime type for .acc files to audio/aac

Changed

  • PHP 8.3 support

2.5.0 - 2023-04-17

Changed

  • Adjusted psr/http-message version constraint to ^1.1 || ^2.0

2.4.5 - 2023-04-17

Fixed

  • Prevent possible warnings on unset variables in ServerRequest::normalizeNestedFileSpec
  • Fixed Message::bodySummary when preg_match fails
  • Fixed header validation issue

2.4.4 - 2023-03-09

... (truncated)

Commits

Updates symfony/http-kernel from 5.4.12 to 5.4.40

Release notes

Sourced from symfony/http-kernel's releases.

v5.4.40

Changelog (symfony/http-kernel@v5.4.39...v5.4.40)

  • no significant changes

v5.4.39

Changelog (symfony/http-kernel@v5.4.38...v5.4.39)

v5.4.38

Changelog (symfony/http-kernel@v5.4.37...v5.4.38)

  • no significant changes

v5.4.37

Changelog (symfony/http-kernel@v5.4.36...v5.4.37)

  • no significant changes

v5.4.36

Changelog (symfony/http-kernel@v5.4.35...v5.4.36)

v5.4.35

Changelog (symfony/http-kernel@v5.4.34...v5.4.35)

  • no significant changes

v5.4.34

Changelog (symfony/http-kernel@v5.4.33...v5.4.34)

v5.4.33

Changelog (symfony/http-kernel@v5.4.32...v5.4.33)

  • no significant changes

v5.4.32

Changelog (symfony/http-kernel@v5.4.31...v5.4.32)

  • no significant changes

v5.4.31

Changelog (symfony/http-kernel@v5.4.30...v5.4.31)

... (truncated)

Commits
  • 3ad0318 Update VERSION for 5.4.40
  • 3e9a729 Revert "minor #54653 Auto-close PRs on subtree-splits (nicolas-grekas)"
  • 67d0b0a minor #54785 Remove calls to TestCase::iniSet() and calls to deprecated met...
  • 77810d5 Remove calls to getMockForAbstractClass()
  • 880afee Remove calls to TestCase::iniSet() and calls to deprecated methods of `Mock...
  • 51ffc08 minor #54768 Remove calls to onConsecutiveCalls() (alexandre-daubois)
  • aa6a398 Remove calls to onConsecutiveCalls()
  • 96e9ede Bump Symfony version to 5.4.40
  • 1d812dc Update VERSION for 5.4.39
  • f580349 Auto-close PRs on subtree-splits
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the composer group across 1 directory with 3 updates
7f7f536 
Bumps the composer group with 3 updates in the / directory: [composer/composer](https://github.com/composer/composer), [guzzlehttp/psr7](https://github.com/guzzle/psr7) and [symfony/http-kernel](https://github.com/symfony/http-kernel).


Updates `composer/composer` from 2.4.1 to 2.7.7
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.4.1...2.7.7)

Updates `guzzlehttp/psr7` from 2.4.1 to 2.6.2
- [Release notes](https://github.com/guzzle/psr7/releases)
- [Changelog](https://github.com/guzzle/psr7/blob/2.6/CHANGELOG.md)
- [Commits](guzzle/psr7@2.4.1...2.6.2)

Updates `symfony/http-kernel` from 5.4.12 to 5.4.40
- [Release notes](https://github.com/symfony/http-kernel/releases)
- [Changelog](https://github.com/symfony/http-kernel/blob/7.1/CHANGELOG.md)
- [Commits](symfony/http-kernel@v5.4.12...v5.4.40)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-type: indirect
  dependency-group: composer
- dependency-name: guzzlehttp/psr7
  dependency-type: indirect
  dependency-group: composer
- dependency-name: symfony/http-kernel
  dependency-type: indirect
  dependency-group: composer
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file php Pull requests that update Php code labels Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file php Pull requests that update Php code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants