Fixed version guessing to take composer-runtime-api and composer-plugin-api requirements into account to avoid selecting packages which require Composer 2
Fixed package name validation to allow several dashes following each other
Fixed post-status-cmd script not firing when there were no changes to be displayed
Fixed composer-runtime-api support on Composer 1.x, the package is now present as 1.0.0
Fixed support for composer show --name-only --self
Fixed detection of GitLab URLs when handling authentication in some cases
Added --1 flag to self-update command which can be added to automated self-update runs to make sure it won't automatically jump to 2.0 once that is released
Fixed path repository symlinks being made relative when the repo url is defined as absolute paths
Fixed potential issues when using "composer ..." in scripts and composer/composer was also required in the project
Fixed 1.10.0 regression when downloading GitHub archives from non-API URLs
Fixed handling of malformed info in fund command
Fixed Symfony5 compatibility issues in a few commands
Breaking: composer global exec ... now executes the process in the current working directory instead of executing it in the global directory.
Warning: Added a warning when class names are being loaded by a PSR-4 or PSR-0 rule only due to classmap optimization, but would not otherwise be autoloadable. Composer 2.0 will stop autoloading these classes so make sure you fix your autoload configs.
Added new funding key to composer.json to describe ways your package's maintenance can be funded. This reads info from GitHub's FUNDING.yml by default so better configure it there so it shows on GitHub and Composer/Packagist
Added composer fund command to show funding info of your dependencies
Added support for --format=json output for show command when showing a single package
Added support for configuring suggestions using config command, e.g. composer config suggest.foo/bar some text
Added support for configuring fine-grained preferred-install using config command, e.g. composer config preferred-install.foo/* dist
Added @putenv script handler to set environment variables from composer.json for following scripts
Added lock option that can be set to false, in which case no composer.lock file will be generated
Added --add-repository flag to create-project command which will persist the repo given in --repository into the composer.json of the package being installed
Added support for IPv6 addresses in NO_PROXY
Added package homepage display in the show command
Added debug info about HTTP authentications
Added Symfony 5 compatibility
Added --fixed flag to require command to make it use a fixed constraint instead of a ^x.y constraint when adding the requirement
Fixed exclude-from-classmap matching subsets of directories e.g. foo/ was excluding foobar/
Fixed archive command to persist file permissions inside the zip files
Fixed init/require command to avoid suggesting packages which are already selected in the search results
Fixed create-project UX issues
Fixed filemtime for vendor/composer/* files is now only changing when the files actually change
Fixed issues detecting docker environment with an active open_basedir
Breaking: artifact repositories with URLs containing port numbers and requiring authentication now require you to configure http-basic auth for the host:port pair explicitly
Added a --no-cache flag available on all commands to run with the cache disabled
Added PHP_BINARY as env var pointing to the PHP process when executing Composer scripts as shell scripts
Added a use-github-api config option which can set the no-api flag on all GitHub VCS repositories declared
Added a static helper you can preprend to a script to avoid process timeouts, "Composer\\Config::disableProcessTimeout"
Added Event::getOriginatingEvent to retrieve an event's original event when a script handler forwards to another one
Added support for autoloading directly from a phar file
Fixed loading order of plugins to always initialize them in order of dependencies
Fixed various network-mount related issues
Fixed --ignore-platform-reqs not ignoring conflict rules against platform packages
Deprecated support for non-standard package names (anything with uppercase, or no / in it). Make sure to follow the warnings if you see any to avoid problems in 2.0.
Fixed some packages missing from the autoloader config when installing with --no-dev
Fixed support for cloning GitLab repos using OAuth tokens instead of SSH keys
Fixed metapackage installs/updates missing from output
Fixed --with-dependencies / --with-all-dependencies not updating some packages in some edge cases
Fixed compatibility with Symfony 4.2 deprecations
Fixed temp dir not being cleaned up on download error while archiving packages
Improved performance of installs and updates from git clones when checking out known commits
Added check-platform-reqs command that checks that your PHP and extensions versions match the platform requirements of the installed packages
Added --with-all-dependencies to the update and require commands which updates all dependencies of the listed packages, including those that are direct root requirements
Added scripts-descriptions key to composer.json to customize the description and document your custom commands
Added support for the uppercase NO_PROXY env var
Added support for COMPOSERDEFAULT{AUTHOR,LICENSE,EMAIL,VENDOR} env vars to pre-populate init command values
Added support for local fossil repositories
Added suggestions for alternative spellings when entering packages in init and require commands and nothing can be found
Fixed installed.json data to be sorted alphabetically by package name
Fixed compatibility with Symfony 4.x components that Composer uses
Added workaround for xdebug performance impact by restarting PHP without xdebug automatically in case it is enabled
Added --minor-only to the outdated command to only show updates to minor versions and ignore new major versions
Added --apcu-autoloader to the update/install commands and --apcu to dump-autoload to enable an APCu-caching autoloader, which can be more efficient than --classmap-authoritative if you attempt to autoload many classes that do not exist, or if you can not use authoritative classmaps for some reason
Added summary of operations to be executed before they run, and made execution output more compact
Added php-debug and php-zts virtual platform packages
Added gitlab-token auth config for GitLab private tokens
Added --strict to the outdated command to return a non-zero exit code when there are outdated packages
Added ability to call php scripts using the current php interpreter (instead of finding php in PATH by default) in script handlers via @php ...
Added COMPOSER_ALLOW_XDEBUG env var to circumvent the Xdebug-disabling behavior
Added COMPOSER_MIRROR_PATH_REPOS env var to force mirroring of path repositories vs symlinking
Added COMPOSER_DEV_MODE env var that is set by Composer to forward the dev mode to script handlers
Fixed support for git 2.11
Fixed output from zip and rar leaking out when an error occurred
Removed hash from composer.lock, only content-hash is now used which should reduce conflicts
Added caching of git repositories if you have git 2.3+ installed. Repositories will now be cached once and then cloned from local cache so subsequent installs should be faster
Added detection of HEAD changes to the status command. If you git checkout X in a vendor directory for example it will tell you that it is not at the version that was installed
Added a virtual php-ipv6 extension to require PHP compiled with IPv6 support
Added --no-suggest to install and update commands to skip output of suggestions at the end
Added --type to the search command to restrict to a given package type
Added fossil support as alternative to git/svn/.. for package downloads
Improved BitBucket OAuth support
Added support for blocking cache operations using COMPOSER_CACHE_DIR=/dev/null (or NUL on windows)
Added support for using declare(strict_types=1) in plugins
Added --prefer-stable and --prefer-lowest to the require command
Added --no-scripts to the require and remove commands
Added _comment top level key to the schema to endorse using it as a place to store comments (it can be a string or array of strings)
Added support for justinrainbow/json-schema 2.0
Fixed binaries not being re-installed if deleted by users or the bin-dir changes. update and install will now re-install them
Added BaseCommand::isProxyCommand that can be overridden to mark a command as being a mere proxy, which helps avoid duplicate warnings etc on composer startup
Fixed archiving generating long paths in zip files on Windows
Break: The install command now turns into an update command automatically if you have no composer.lock. This was done only half-way before which caused inconsistencies
Break: By default the remove command now removes dependencies as well, and --update-with-dependencies is deprecated. Use --no-update-with-dependencies to get old behavior
Added support for update channels in self-update. All users will now update to stable builds by default. Run self-update with --snapshot, --preview or --stable to switch between update channels.
Added support for SSL_CERT_DIR env var and openssl.capath ini value
Added some conflict detection in why-not command
Added suggestion of root package's suggests in create-project command
Fixed create-project ignoring --ignore-platform-reqs when choosing a version of the package
Fixed search command in a directory without composer.json
Fixed path repository handling of symlinks on windows
Fixed PEAR repo handling to prefer HTTPS mirrors over HTTP ones
Fixed handling of Path env var on Windows, only PATH was accepted before
Break: By default we now disable any non-secure protocols (http, git, svn). This may lead to issues if you rely on those. See secure-http config option.
Break: show / list command now only show installed packages by default. An --all option is added to show all packages.
Added VCS repo support for the GitLab API, see also gitlab-oauth and gitlab-domains config options
Added prohibits / why-not command to show what blocks an upgrade to a given package:version pair
Added --tree / -t to the show command to see all your installed packages in a tree view
Added --interactive / -i to the update command, which lets you pick packages to update interactively
Added exec command to run binaries while having bin-dir in the PATH for convenience
Added --root-reqs to the update command to update only your direct, first degree dependencies
Added cafile and capath config options to control HTTPS certificate authority
Added pubkey verification of composer.phar when running self-update
Added possibility to configure per-package preferred-install types for more flexibility between prefer-source and prefer-dist
Added unpushed-changes detection when updating dependencies and in the status command
Added COMPOSER_AUTH env var that lets you pass a json configuration like the auth.json file
Added secure-http and disable-tls config options to control HTTPS/HTTP
Added warning when Xdebug is enabled as it reduces performance quite a bit, hide it with COMPOSER_DISABLE_XDEBUG_WARN=1 if you must
Added duplicate key detection when loading composer.json
Added sort-packages config option to force sorting of the requirements when using the require command
Added support for the XDG Base Directory spec on linux
Added XzDownloader for xz file support
Fixed SSL support to fully verify peers in all PHP versions, unsecure HTTP is also disabled by default
Fixed stashing and cleaning up of untracked files when updating packages
Fixed plugins being enabled after installation even when --no-plugins
Added config.platform to let you specify what your target environment looks like and make sure you do not inadvertently install dependencies that would break it
Added exclude-from-classmap in the autoload config that lets you ignore sub-paths of classmapped directories, or psr-0/4 directories when building optimized autoloaders
Added path repository type to install/symlink packages from local paths
Added possibility to reference script handlers from within other handlers using @script-name to reduce duplication
Added suggests command to show what packages are suggested, use -v to see more details
Added content-hash inside the composer.lock to restrict the warnings about outdated lock file to some specific changes in the composer.json file
Added archive-format and archive-dir config options to specify default values for the archive command
Added --classmap-authoritative to install, update, require, remove and dump-autoload commands, forcing the optimized classmap to be authoritative
Added -A / --with-dependencies to the validate command to allow validating all your dependencies recursively
Added --strict to the validate command to treat any warning as an error that then returns a non-zero exit code
Added a dependency on composer/semver, which is the externalized lib for all the version constraints parsing and handling
Added support for classmap autoloading to load plugin classes and script handlers
Added bin-compat config option that if set to full will create .bat proxy for binaries even if Composer runs in a linux VM
Added SPDX 2.0 support, and externalized that in a composer/spdx-licenses lib
Added warnings when the classmap autoloader finds duplicate classes
Added --file to the archive command to choose the filename
Added Ctrl+C handling in create-project to cancel the operation cleanly
Fixed version guessing to use ^ always, default to stable versions, and avoid versions that require a higher php version than you have
Fixed the lock file switching back and forth between old and new URL when a package URL is changed and many people run updates
Fixed partial updates updating things they shouldn't when the current vendor dir was out of date with the lock file
Fixed PHAR file creation to be more reproducible and always generate the exact same phar file from a given source
Fixed issue when checking out git branches or tags that are also the name of a file in the repo
Many minor fixes and documentation additions and UX improvements
Break: For forward compatibility, you should change your deployment scripts to run composer install --no-dev. The install command will install dev dependencies by default starting in the next release
Break: The update command now has --dev enabled by default. --no-dev can be used to update without dev requirements, but it will create an incomplete lock file and is discouraged
Break: Removed support for lock files created before 2012-09-15 due to their outdated unusable format
Added prefer-stable flag to pick stable packages over unstable ones when possible
Added preferred-install config option to always enable --prefer-source or --prefer-dist
Added diagnose command to to system/network checks and find common problems
Added wildcard support in the update whitelist, e.g. to update all packages of a vendor do composer update vendor/*
Added archive command to archive the current directory or a given package
Added run-script command to manually trigger scripts
Added proprietary as valid license identifier for non-free code
Added a php-64bit platform package that you can require to force a 64bit php
Added a lib-ICU platform package
Added a new official package type project for project-bootstrapping packages
Added zip/dist local cache to speed up repetitive installations
Added post-autoload-dump script event
Added Event::getDevMode to let script handlers know if dev requirements are being installed
Added discard-changes config option to control the default behavior when updating "dirty" dependencies
Added use-include-path config option to make the autoloader look for files in the include path too
Added cache-ttl, cache-files-ttl and cache-files-maxsize config option
Added cache-dir, cache-files-dir, cache-repo-dir and cache-vcs-dir config option
Added support for using http(s) authentication to non-github repos
Added support for using multiple autoloaders at once (e.g. PHPUnit + application both using Composer autoloader)
Added support for .inc files for classmap autoloading (legacy support, do not do this on new projects!)
Added support for version constraints in show command, e.g. composer show monolog/monolog 1.4.*
Added support for svn repositories containing packages in a deeper path (see package-path option)
Added an artifact repository to scan a directory containing zipped packages
Added --no-dev flag to install and update commands
Added --stability (-s) flag to create-project to lower the required stability
Added --no-progress to install and update to hide the progress indicators
Added --available (-a) flag to the show command to display only available packages
Added --name-only (-N) flag to the show command to show only package names (one per line, no formatting)
Added --optimize-autoloader (-o) flag to optimize the autoloader from the install and update commands
Added -vv and -vvv flags to get more verbose output, can be useful to debug some issues
Added COMPOSER_NO_INTERACTION env var to do the equivalent of --no-interaction (should be set on build boxes, CI, PaaS)
Added PHP 5.2 compatibility to the autoloader configuration files so they can be used to configure another autoloader
Fixed handling of platform requirements of the root package when installing from lock
Fixed handling of require-dev dependencies
Fixed handling of unstable packages that should be downgraded to stable packages when updating to new version constraints
Fixed parsing of the ~ operator combined with unstable versions
Fixed the require command corrupting the json if the new requirement was invalid
Fixed support of aliases used together with <version>#<reference> constraints
Improved output of dependency solver problems by grouping versions of a package together
Improved performance of classmap generation
Improved mercurial support in various places
Improved lock file format to minimize unnecessary diffs
Improved the config command to support all options
