Search code, repositories, users, issues, pull requests...

Added build provenance attestation so you can also now download and verify phar files from GitHub releases:
```
  gh release --repo composer/composer download --pattern composer.phar
  gh attestation verify --repo composer/composer composer.phar
```
- Fixed unsupported funding values causing parse errors in packages (#12247)
- Fixed support for a few newer funding formats (#12257)
- Fixed InstalledVersions regression from 2.8.4 when reload() is used (#12269)
- Fixed psr-0/psr-4 rules having unstable order in vendor/composer/autoload*.php (#12263)
- Fixed a few warnings happening incorrectly in edge cases (#12284, #12268, #12283)

`v2.8.4`

Fixed exit code of the audit command not being meaningful (now 1 for vulnerabilities and 2 for abandoned, 3 for both) (#12203)
- Fixed issue on plugin upgrade when it defines multiple classes (#12226)
- Fixed duplicate errors appearing in the output depending on php settings (#12214)
- Fixed InstalledVersions returning duplicate data in some instances (#12225)
- Fixed installed.php sorting to be deterministic (#12197)
- Fixed bump-after-update failing when using inline constraints (#12223)
- Fixed create-project command to now disable symlinking when used with a path repo as argument (#12222)
- Fixed validate --no-check-publish to hide publish errors entirely as they are irrelevant (#12196)
- Fixed audit command returning a failing code when composer audit fails as this should not trigger build failures, but running audit as standard part of your build is probably a terrible idea anyway (#12196)
- Fixed curl usage to disable multiplexing on broken versions when proxies are in use (#12207)

`v2.8.3`

Fixed windows handling of process discovery (#12180)
- Fixed react/promise requirement to allow 2.x installs again (#12188)
- Fixed some issues when lock:false is set in require and bump commands

`v2.8.2`

Fixed crash while suggesting providers if they have no description (#12152)
- Fixed issues creating lock files violating the schema in some circumstances (#12149)
- Fixed create-project regression in 2.8.1 when using path repos with relative paths (#12150)
- Fixed ctrl-C aborts not working inside text prompts (#12106)
- Fixed git failing silently when git cannot read a repo due to ownership violations (#12178)
- Fixed handling of signals in non-PHP binaries run via proxies (#12176)

`v2.8.1`

Fixed init command regression when no license is provided (#12145)
- Fixed --strict-ambiguous flag handling whereas it sometimes did not report all issues (#12148)
- Fixed create-project to inherit the target folder's permissions for installed project files (#12146)
- Fixed a few cases where the prompt for using a parent dir's composer.json fails to work correctly (#8023)

`v2.8.0`

BC Warning: Fixed https_proxy env var falling back to http_proxy's value. The fallback and warning have now been removed per the 2.7.3 release notes (#11938, #11915)
- Added --patch-only flag to the update command to restrict updates to patch versions and make an update of all deps safer (#12122)
- Added --abandoned flag to the audit command to configure how abandoned packages should be treated, overriding the audit.abandoned config setting (#12091)
- Added --ignore-severity flag to the audit command to ignore one or more advisory severities (#12132)
- Added --bump-after-update flag to the update command to run bump after the update is done (#11942)
- Added a way to control which scripts receive additional CLI arguments and where they appear in the command, see the docs (#12086)
- Added allow-missing-requirements config setting to skip the error when the lock file is not fulfilling the composer.json's dependencies (#11966)
- Added a JSON schema for the composer.lock file (#12123)
- Added better support for Bitbucket app passwords when cloning repos / installing from source (#12103)
- Added --type flag to filter packages by type(s) in the reinstall command (#12114)
- Added --strict-ambiguous flag to the dump-autoload command to make it return with an error code if duplicate classes are found (#12119)
- Added warning in dump-autoload when vendor files have been deleted (#12139)
- Added warnings for each missing platform package when running create-project to avoid having to run it again and again (#12120)
- Added sorting of packages in allow-plugins when sort-packages is enabled (#11348)
- Added suggestion of provider packages / polyfills when an ext or lib package is missing (#12113)
- Improved interactive package update selection by first outputting all packages and their possible updates (#11990)
- Improved dependency resolution failure output by sorting the output in a deterministic and (often) more logical way (#12111)
- Fixed PHP 8.4 deprecation warnings about E_STRICT (#12116)
- Fixed init command to validate the given license identifier (#12115)
- Fixed version guessing to be more deterministic on feature branches if it appears that it could come from either of two mainline branches (#12129)
- Fixed COMPOSER_ROOT_VERSION env var handling to treat 1.2 the same as 1.2.x-dev and not 1.2.0 (#12109)
- Fixed require command skipping new stability flags from the lock file, causing invalid lock file diffs (#12112)
- Fixed php://stdin potentially being open several times when running Composer programmatically (#12107)
- Fixed handling of platform packages in why-not command and partial updates (#12110)
- Reverted "Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)" from 2.7.8 as it was broken

`v2.7.9`

Fixed Docker detection breaking on constrained environments (#12095)
- Fixed upstream issue in bash completion script, it is recommended to update it using the completion command (#12015)

`v2.7.8`

Added release-age, release-date and latest-release-date in the JSON output of outdated (#12053)
- Fixed PHP 8.4 deprecation warnings
- Fixed addressability of branches containing # signs (#12042)
- Fixed bump command not handling some ~ constraints correctly (#12038)
- Fixed COMPOSER_AUTH not taking precedence over ./auth.json (#12084)
- Fixed relative: true sometimes not being respected in path repo symlinks (#12092)
- Fixed copy from cache sometimes failing on VirtualBox shared folders (#12057)
- Fixed PSR-4 autoloading order regression in some edge case (#12063)
- Fixed duplicate lib-* packages causing issues when having pecl + core versions of the same PHP extension (#12093)
- Fixed transport-options.ssl for local cert authorization being stored in lock file making them less portable (#12019)
- Fixed memory issues when installing large binaries (#12032)
- Fixed archive command crashing when a path cannot be realpath'd on windows (#11544)
- API: Deprecated BasePackage::$stabilities in favor of BasePackage::STABILITIES (685add7)
- Improved Docker detection (#12062)

infection/infection (infection/infection)

`v0.29.10`: Require PHP 8.2. Switch to `shish/safe`to fix issue with`thecodingmachine/safe`

Fixed:

Attempt to switch to shish/safe to fix issue with thecodingmachine/safe by @sanmai in https://github.com/infection/infection/pull/2017

Changed:

Bump PHP version to 8.2 by @maks-rafalko in https://github.com/infection/infection/pull/2018

Full Changelog: infection/infection@0.29.9...0.29.10

`v0.29.9`: New PHP 8.4 mutators, remove PHP 8.4 deprecations

Added:

Add PHP 8.4 mutator to replace array_all() with true by @maks-rafalko in https://github.com/infection/infection/pull/2009
Add PHP 8.4 mutator to replace array_any() with true by @maks-rafalko in https://github.com/infection/infection/pull/2010
Make sure Infection mutates PHP 8.4 getters (new syntax) by @maks-rafalko in https://github.com/infection/infection/pull/2011

Changed:

Update nikic/php-parser to the latest version to support PHP 8.4 mutators by @maks-rafalko in https://github.com/infection/infection/pull/2008

Full Changelog: infection/infection@0.29.8...0.29.9

`v0.29.8`: PHPUnit 11 compatibility, performance improvement thanks to `stopOnDefect`

Added:

use $GLOBALS['_composer_autoload_path'] if possible by @Kanti in https://github.com/infection/infection/pull/2002
add stopOnDefect by @Kanti in https://github.com/infection/infection/pull/2003

Changed:

fix phpunit 11 config (cacheResultFile -> cacheDirectory) by @Kanti in https://github.com/infection/infection/pull/2003

New Contributors

@Kanti made their first contribution in https://github.com/infection/infection/pull/2002

Full Changelog: infection/infection@0.29.7...0.29.8

`v0.29.7`: Diff colorizer fix for multiline cases, PHP 8.4 support in pipelines

What's Changed

Fixed:

Fallback to the simple diff colorizer (previous implementation) for multiline diffs by @maks-rafalko in https://github.com/infection/infection/pull/2000
Fix PHP-Parser 5.0 and 5.1 compatibility in tests by @sidz in https://github.com/infection/infection/pull/1994

Added:

Add PHP 8.4 to the pipeline by @sidz in https://github.com/infection/infection/pull/1992

Changed:

Run e2e tests in parallel by @maks-rafalko in https://github.com/infection/infection/pull/1990
Redirect stderr to stdout for e2e tests by @maks-rafalko in https://github.com/infection/infection/pull/1991
Un-prophecyze in favor of phpunit mock by @sidz in https://github.com/infection/infection/pull/1993
Use Null Coalescing Assignment Operator by @sidz in https://github.com/infection/infection/pull/1995

Full Changelog: infection/infection@0.29.6...0.29.7

`v0.29.6`: Ignore `switch(bool)` statements in `TrueValue` and `FalseValue` mutators

Changed:

Ignore switch(bool) statements in TrueValue and FalseValue mutators. by @shanept in https://github.com/infection/infection/pull/1986

New Contributors

@shanept made their first contribution in https://github.com/infection/infection/pull/1986

Full Changelog: infection/infection@0.29.5...0.29.6

`v0.29.5`

Added:

Update GitHub actions used by @vincentchalamon in https://github.com/infection/infection/pull/1979
Introduce GitHub Actions Concurrency used by @vincentchalamon in https://github.com/infection/infection/pull/1979

`v0.29.4`

Added:

Introduce --logger-project-root-directory by @vincentchalamon in https://github.com/infection/infection/pull/1978

`v0.29.3`: Add support for `colinodell/json5` v3

Changed:

Add support for colinodell/json5 v3 by @Slamdunk in https://github.com/infection/infection/pull/1976

Full Changelog: infection/infection@0.29.2...0.29.3

`v0.29.2`: Highlight inline differences in CLI

Added:

[Logs] Highlight inline differences in CLI by @Slamdunk in https://github.com/infection/infection/pull/1974

Full Changelog: infection/infection@0.29.1...0.29.2

`v0.29.1`: Fix usage of custom mutator with bootstrap file

Fixed:

Fix usage of custom mutator with bootstrap file by @maks-rafalko in https://github.com/infection/infection/pull/1973

Full Changelog: infection/infection@0.29.0...0.29.1

`v0.29.0`

Added:

Support custom mutators by @vss414 in https://github.com/infection/infection/pull/1686
Custom mutator generator by @maks-rafalko in https://github.com/infection/infection/pull/1969

Read about how to create custom mutators: https://infection.github.io/guide/custom-mutators.html

Changed:

Move Infection\Mutator\Mutator to a separate package by @maks-rafalko in https://github.com/infection/infection/pull/1963
Make Mutator::getDefinition return type non-nullable by @maks-rafalko in https://github.com/infection/infection/pull/1958
Enable Rector's AddCoversClassAttributeRector rule by @maks-rafalko in https://github.com/infection/infection/pull/1962
Mention Discord instead of Slack in issue github template by @staabm in https://github.com/infection/infection/pull/1951
test: Force mutators to include remedies by @theofidry in https://github.com/infection/infection/pull/1954
Use the latest composer 2 to prevent issue with incompatibility for Box and composer 2.1 by @maks-rafalko in https://github.com/infection/infection/pull/1957
Use the latest v1 test checker action by @maks-rafalko in https://github.com/infection/infection/pull/1960
Upgrade Rector and fix new issues by @maks-rafalko in https://github.com/infection/infection/pull/1961
Use new PHP-CS-Fixer with parallelization by @maks-rafalko in https://github.com/infection/infection/pull/1964
Remove our own custom FQCN visitor as we already use php-parser's NameResolver visitor by @maks-rafalko in https://github.com/infection/infection/pull/1967
Replace deprecated constant NodeTraverser::DONT_TRAVERSE_CURRENT_AND_CHILDREN with NodeVisitor::DONT_TRAVERSE_CURRENT_AND_CHILDREN by @maks-rafalko in https://github.com/infection/infection/pull/1968
Remove our own ParentConnectorVisitor and use nikic-phpparser's one by @maks-rafalko in https://github.com/infection/infection/pull/1970

`v0.28.1`: Use CI (GitHub, GitLab) variable to detect project path

Changed:

feat: use CI variables to detect project path by @darthf1 in https://github.com/infection/infection/pull/1949

New Contributors

@darthf1 made their first contribution in https://github.com/infection/infection/pull/1949

Full Changelog: infection/infection@0.28.0...0.28.1

`v0.28.0`

Added:

Add PHP-Parser 5 support by @sidz in https://github.com/infection/infection/pull/1909

laminas/automatic-releases (laminas/automatic-releases)

`v1.25.0`

Release Notes for 1.25.0

Feature release (minor)

1.25.0

Total issues resolved: 0
Total pull requests resolved: 11
Total contributors: 2

Ocramius/PackageVersions (ocramius/package-versions)

`v2.9.0`

Release Notes for 2.9.0

Feature release (minor)

2.9.0

Total issues resolved: 0
Total pull requests resolved: 2
Total contributors: 2

dependencies,enhancement

256: Allow PHP 8.4 thanks to @fezfez

security

253: Update dependency composer/composer to ^2.7.0 [SECURITY] thanks to @renovate[bot]

containerbase/php-prebuild (php)

`v8.4.3`

Bug Fixes

deps: update dependency php to v8.4.3

`v8.4.2`

Bug Fixes

deps: update dependency php to v8.4.2

`v8.4.1`

Bug Fixes

deps: update dependency php to v8.4.1

sebastianbergmann/phpunit (phpunit/phpunit)

`v10.5.44`: PHPUnit 10.5.44

Fixed

#6115: Backed enumerations with values not of type string cannot be used in customized TestDox output

`v10.5.43`: PHPUnit 10.5.43

Changed

Do not skip execution of test that depends on a test that is larger than itself

`v10.5.42`: PHPUnit 10.5.42

Fixed

#6103: Output from test run in separate process is printed twice
#6109: Skipping a test in a before-class method crashes JUnit XML logger
#6111: Deprecations cause SourceMapper to scan all <source/> files

`v10.5.41`: PHPUnit 10.5.41

Added

Test\AfterLastTestMethodErrored, Test\AfterTestMethodErrored, Test\BeforeTestMethodErrored, Test\PostConditionErrored, and Test\PreConditionErrored events

Fixed

#6094: Errors in after-last-test methods are not reported
#6095: Expectation is not counted correctly when a doubled method is called more often than is expected
#6098: No system-out element in JUnit XML logfile

`v10.5.40`: PHPUnit 10.5.40

Fixed

#6082: assertArrayHasKey(), assertArrayNotHasKey(), arrayHasKey(), and ArrayHasKey::__construct() do not support all possible key types
#6087: --migrate-configuration does not remove beStrictAboutTodoAnnotatedTests attribute from XML configuration file

`v10.5.39`: PHPUnit 10.5.39

Added

#6081: DefaultResultCache::mergeWith() for merging result cache instances

Fixed

#6066: TeamCity logger does not handle error/skipped events in before-class methods correctly

`v10.5.38`: PHPUnit 10.5.38

Changed

#6012: Remove empty lines between TeamCity events

`v10.5.37`: PHPUnit 10.5.37

Fixed

#5982: Typo in exception message

`v10.5.36`: PHPUnit 10.5.36

Changed

#5957: Skip data provider build when requirements are not satisfied
#5969: Check for requirements before creating a separate process
Updated regular expressions used by StringMatchesFormatDescription constraint to be consistent with PHP's run-tests.php

Fixed

#5965: PHPUnit\Framework\Exception does not handle string error codes (PDOException with error code 'HY000', for example)

`v10.5.35`

`v10.5.34`: PHPUnit 10.5.34

Fixed

#5931: Reverted addition of name property on <testsuites> element in JUnit XML logfile
#5946: Callback throws a TypeError when checking a callable has variadic parameters

`v10.5.33`: PHPUnit 10.5.33

Fixed

#4584: assertJsonStringEqualsJsonString() considers objects with sequential numeric keys equal to be arrays
#4625: Generator yielding keys that are neither integer or string leads to hard-to-understand error message when used as data provider
#4674: JSON assertions should treat objects as unordered
#5891: Callback constraint does not handle variadic arguments correctly when used for mock object expectations
#5929: TestDox output containing $ at the beginning gets truncated when used with a data provider

`v10.5.32`: PHPUnit 10.5.32

Added

#5937: failOnPhpunitDeprecation attribute on the <phpunit> element of the XML configuration file and --fail-on-phpunit-deprecation CLI option for controlling whether PHPUnit deprecations should be considered when determining the test runner's shell exit code (default: do not consider)
displayDetailsOnPhpunitDeprecations attribute on the <phpunit> element of the XML configuration file and --display-phpunit-deprecations CLI option for controlling whether details on PHPUnit deprecations should be displayed (default: do not display)

Changed

#5937: PHPUnit deprecations will, by default, no longer affect the test runner's shell exit code. This can optionally be turned back on using the --fail-on-phpunit-deprecation CLI option or the failOnPhpunitDeprecation="true" attribute on the <phpunit> element of the XML configuration file.
Details for PHPUnit deprecations will, by default, no longer be displayed. This can optionally be turned back on using the --display-phpunit-deprecations CLI option or the displayDetailsOnPhpunitDeprecations attribute on the <phpunit> element of the XML configuration file.

`v10.5.31`: PHPUnit 10.5.31

Changed

#5931: name property on <testsuites> element in JUnit XML logfile
Removed .phpstorm.meta.php file as methods such as TestCase::createStub() use generics / template types for their return types and PhpStorm, for example, uses that information

Fixed

#5884: TestDox printer does not consider that issues can be suppressed by attribute, baseline, source location, or @ operator

`v10.5.30`: PHPUnit 10.5.30

Changed

Improved error message when stubbed method is called more often than return values were configured for it

`v10.5.29`: PHPUnit 10.5.29

Fixed

#5887: Issue baseline generator does not correctly handle ignoring suppressed issues
#5908: --list-tests and --list-tests-xml CLI options do not report error when data provider method throws exception

`v10.5.28`

`v10.5.27`: PHPUnit 10.5.27

Changed

Updated dependencies (so that users that install using Composer's --prefer-lowest CLI option also get recent versions)

Fixed

#5892: Errors during write of phpunit.xml are not handled correctly when --generate-configuration is used

psalm/psalm-plugin-phpunit (psalm/plugin-phpunit)

`v0.19.2`: Psalm v6 support

Bumps composer requirements for psalm v6 support.

Full Changelog: psalm/psalm-plugin-phpunit@0.19.0...0.19.2

`v0.19.1`

shivammathur/setup-php (shivammathur/setup-php)

`v2.32.0`

Changelog

Added support for PHP 8.4 as the default stable PHP version.

- name: Setup PHP
  uses: shivammathur/setup-php@v2

Added support for PHP 8.5 as the nightly version. (#867)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.5'

Added support for pre-installed in php-version input. (#872)
It will setup the pre-installed PHP version on the runner as per the docs here
https://github.com/shivammathur/setup-php?tab=readme-ov-file#github-hosted-runners. If the runner does not have a pre-installed PHP version, it will fail.
Please note: It is not recommended to use this unless you are doing something trivial, the pre-installed PHP versions on GitHub hosted runners are old patch versions.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: pre-installed

Added support for .tool-versions file format in php-version-file input. (#883)
If you have an asdf .tool-versions file in your project.
For example, you can specify .tool-versions now in the php-version-file input and the action would setup the correct PHP version.

ruby 3.4
php 8.4
nodejs 23.5

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version-file: .tool-versions

Added support for to specify the path for composer file in the project to read the PHP version using COMPOSER_PROJECT_DIR env value. (#894)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  env:
    COMPOSER_PROJECT_DIR: php

Added support for macos-15 GitHub hosted environment.
Added support for windows-2025 GitHub hosted environment.
Added support for composer-dependency-analyser tool (#859, #897)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    tools: composer-dependency-analyser

Added support for relay extension for PHP 8.4 and 8.5. (#892)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: relay

Added information on how an extension is loaded in the wiki extension lists. (#887)
https://github.com/shivammathur/setup-php/wiki
Fixed support for debug builds. (#880)

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
  env:
    debug: true

Fixed support for zts buids on self-hosted runners.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
  env:
    phpts: ts

Fixed support for oci extensions for PHP 8.4 and PHP 8.5.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: pdo_oci, oci8

Fixed support for zephir_parser extension.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: zephir_parser

Fixed support for couchbase extension on old PHP versions.

- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '7.1'
    extensions: couchbase

Fixed support for pdo_firebird extension on macos-15.

##### runs-on: macos-15
- name: Setup PHP
  uses: shivammathur/setup-php@v2
  with:
    php-version: '8.4'
    extensions: pdo_firebird

Improved support to install tools in a multi-user self-hosted environment.
Dropped support for macos-12 GitHub hosted environments.
Dropped support for Debian 10 based self-hosted environments.
Update Node.js dependencies.

Thanks @janedbal, @alexmerlin and @tillkruss for the contributions 🎉

Thanks @desrosj, @bloodynumen and @eliashaeussler for the sponsorship ❤️

For the complete list of changes, please refer to the Full Changelog

Follow for updates

`v2.31.1`