Update dependency composer/composer to v2.2.24 [SECURITY] #24
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.1.9
->2.2.24
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-24828
The Composer method
VcsDriver::getFileContent()
with user-controlled$file
or$identifier
arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.This led to a vulnerability on Packagist.org and Private Packagist, i.e., using the composer.json
readme
field as a vector for injecting parameters into the$file
argument for the Mercurial driver or via the$identifier
argument for the Git and Mercurial drivers.Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project's composer.json.
To the best of our knowledge, this was not actively exploited. The vulnerability has been patched on Packagist.org and Private Packagist within a day of the vulnerability report.
CVE-2023-43655
Impact
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has
register_argc_argv
enabled in php.ini.Patches
2.6.4, 2.2.22 and 1.10.27 patch this vulnerability.
Workarounds
Make sure
register_argc_argv
is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.CVE-2024-24821
Impact
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
The following are of high risk:
Patches
2.7.0, 2.2.23
Workarounds
Where not possible, the following should be addressed:
vendor/composer/InstalledVersions.php
andvendor/composer/installed.php
do not include untrusted code.A reset can also be done on these files by the following:
CVE-2024-35242
Impact
The
composer install
command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid cloning potentially compromised repositories.
CVE-2024-35241
Impact
The
status
,reinstall
andremove
commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.Patches
2.2.24 for 2.2 LTS or 2.7.7 for mainline
Workarounds
Avoid installing dependencies via git by using
--prefer-dist
or thepreferred-install: dist
config setting.Release Notes
composer/composer (composer/composer)
v2.2.24
Compare Source
This release includes fixes for issues found in a security audit by Cure53 funded by Alpha-Omega.
fa3b958
)3c37a67
)3773f77
)de5f7e3
)3130a74
,04a63b3
)v2.2.23
Compare Source
v2.2.22
Compare Source
%
signs (#11359)v2.2.21
Compare Source
v2.2.20
Compare Source
v2.2.19
Compare Source
_
to avoid conflicts between package names likea-b
anda_b
(#11229)COMPOSER_DISCARD_CHANGES
when set to0
v2.2.18
Compare Source
COMPOSER_NO_DEV
so it also works withrequire
andremove
's--update-no-dev
(#10995)v2.2.17
Compare Source
v2.2.16
Compare Source
v2.2.15
Compare Source
cache-read-only
where the filesystem is not writable (#10906)allow-plugins: true
(#10909)v2.2.14
Compare Source
v2.2.13
Compare Source
v2.2.12
Compare Source
lock
config option is disabled (#10726)validate
command checking the lock file even if thelock
option is disabled (#10723)v2.2.11
Compare Source
self-update
to pin the Composer version to the 2.2 LTS range (#10682)v2.2.10
Compare Source
v2.2.9
Compare Source
v2.2.8
Compare Source
files
autoloading sort order to be fully deterministic (#10617)require
command failing whenself.version
is used as constraint (#10593)v2.2.7
Compare Source
licenses
command output (#10537)allow-plugins: false
which kept warning (#10530)init
command requiring an email whereas the schema allows a name only (#10538)require
command when requiring packages which do not exist (but are provided by something else you require) (#10541)v2.2.6
Compare Source
COMPOSER_BIN_DIR
env var for binaries added in Composer 2.2.2 had to be renamed toCOMPOSER_RUNTIME_BIN_DIR
(#10512)enum foo:string
without space after:
(#10498)reinstall
command not firingpre-install-cmd
/post-install-cmd
events (#10514)v2.2.5
Compare Source
composer/package-versions-deprecated
by default as it can function usingComposer\InstalledVersions
at runtime (#10458)v2.2.4
Compare Source
v2.2.3
Compare Source
v2.2.2
Compare Source
COMPOSER_BIN_DIR
env var and_composer_bin_dir
global containing the path to the bin-dir for binaries. Packages relying on finding the bin dir with$BASH_SOURCES[0]
will need to update their binaries (#10402)v2.2.1
Compare Source
v2.2.0
Compare Source
dev-main
as the default path repo package version if no VCS info is available (#10372)v2.1.14
Compare Source
v2.1.12
Compare Source
9999999
-dev being shown in some cases by theshow
command (#10260)v2.1.11
Compare Source
v2.1.10
Compare Source
require
command reverting changes even though dependency resolution succeeded when something fails in scripts for example (#10118)require
not finding the right package version when some newly required extension is missing from the system (#10167)e1dbd65
)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.