Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package php-composer2 for openSUSE:Factory checked in at 2024-02-13 22:44:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/php-composer2 (Old) and /work/SRC/openSUSE:Factory/.php-composer2.new.1815 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "php-composer2" Tue Feb 13 22:44:16 2024 rev:25 rq:1146367 version:2.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/php-composer2/php-composer2.changes 2023-10-12 23:47:51.157373748 +0200 +++ /work/SRC/openSUSE:Factory/.php-composer2.new.1815/php-composer2.changes 2024-02-13 22:44:47.861495592 +0100 @@ -1,0 +2,48 @@ +Mon Feb 12 09:54:13 UTC 2024 - pgaj...@suse.com + +- version update to 2.7.1 [bsc#1219757] CVE-2024-24821 + 2.7.1 + * Added several warnings when plugins are disabled to hint at common problems people had with 2.7.0 (#11842) + * Fixed diagnose auditing of Composer dependencies failing when running from the phar + 2.7.0 + * Security: Fixed code execution and possible privilege escalation via compromised + vendor dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821) + * Changed the default of the audit.abandoned config setting to fail, set it to report or + ignore if you do not want this, or set it via COMPOSER_AUDIT_ABANDONED env var (#11643) + * Added --minimal-changes (-m) flag to update/require/remove commands to perform + partial update with --with-dependencies while changing only what is absolutely + necessary in transitive dependencies (#11665) + * Added --sort-by-age (-A) flag to outdated/show commands to allow + sorting by and displaying the release date (most outdated first) (#11762) + * Added support for --self combined with --installed or --locked in show command, to + add the root package to the package list being output (#11785) + * Added severity information to audit command output (#11702) + * Added scripts-aliases top level key in composer.json to define aliases for custom scripts you defined (#11666) + * Added IPv4 fallback on connection timeout, as well as a COMPOSER_IPRESOLVE env var to force + IPv4 or IPv6, set it to 4 or 6 (#11791) + * Added support for wildcards in outdated's --ignore arg (#11831) + * Added support for bump command bumping * to >=current version (#11694) + * Added detection of constraints that cannot possibly match anything to validate command (#11829) + * Added package source information to the output of install when running in very verbose (-vv) mode (#11763) + * Added audit of Composer's own bundled dependencies in diagnose command (#11761) + * Added GitHub token expiration date to diagnose command output (#11688) + * Added non-zero status code to why/why-not commands (#11796) + * Added error when calling show --direct <package> with an indirect/transitive dependency (#11728) + * Added COMPOSER_FUND=0 env var to hide calls for funding (#11779) + * Fixed bump command not bumping packages required with a v prefix (#11764) + * Fixed automatic disabling of plugins when running non-interactive as root + * Fixed update --lock not keeping the dist reference/url/checksum pinned (#11787) + * Fixed require command crashing at the end if no lock file is present (#11814) + * Fixed root aliases causing problems when auditing locked dependencies (#11771) + * Fixed handling of versions with 4 components in require command (#11716) + * Fixed compatibility issues with Symfony 7 + * Fixed composer.json remaining behind after a --dry-run of the require command (#11747) + * Fixed warnings being shown incorrectly under some circumstances (#11786, #11760, #11803) + 2.6.6 + * Fixed symfony/console requirement to exclude 7.x as Composer 2.6 is not compatible, 2.7 will be (#11741) + * Fixed libpq parsing to use the global constant if available (#11684) + * Fixed error output when updating with a temporary constraint fails (#11692) +- modified sources + % composer.phar + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ php-composer2.spec ++++++ --- /var/tmp/diff_new_pack.ZQtXOB/_old 2024-02-13 22:44:48.697525780 +0100 +++ /var/tmp/diff_new_pack.ZQtXOB/_new 2024-02-13 22:44:48.701525925 +0100 @@ -1,7 +1,7 @@ # # spec file for package php-composer2 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: php-composer2 -Version: 2.6.5 +Version: 2.7.1 Release: 0 Summary: Dependency Management for PHP License: MIT @@ -25,6 +25,7 @@ URL: https://getcomposer.org/ Source0: https://getcomposer.org/download/%{version}/composer.phar Source1: https://github.com/composer/composer/raw/%{version}/LICENSE +BuildRequires: php-phar Requires: php >= 7.2.5 Requires: php-curl Requires: php-json @@ -34,7 +35,7 @@ Requires: php-zip Requires: php-zlib Requires(post): update-alternatives -Requires(postun):update-alternatives +Requires(postun): update-alternatives Provides: composer = %{version} Provides: php-composer = %{version} Provides: php7-composer = %{version} ++++++ composer.phar ++++++ Binary files /var/tmp/diff_new_pack.ZQtXOB/_old and /var/tmp/diff_new_pack.ZQtXOB/_new differ
