2.10.2 - released 2026-07-01
View the release on GitHub
Changelog
- Security: Validate package names (GHSA-499r-g7pc-vmp9)
- Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
- Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
- Security: Only follow HTTP redirects from HTTP responses (#12948)
- Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
- Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
- Added warning output in self-update command when using a soon-to-be EOL version (#12920)
- Added download retry when a GitHub codeload URL returns a 400 (#12962)
- Fixed
audit command to output the audit result to stdout (#12904)
- Fixed backspace characters being output to non-decorated output (#12925)
- Fixed security advisory blocking causing issues with xdebug enabled (#12935)
- Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
- Fixed security advisory blocking causing issues with xdebug enabled (#12935)