2.10.2 - released 2026-07-01

View the release on GitHub

Changelog

  • Security: Validate package names (GHSA-499r-g7pc-vmp9)
  • Security: Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
  • Security: Sanitize URL-embedded usernames/token in verbose output (GHSA-g6xq-892h-64w3)
  • Security: Only follow HTTP redirects from HTTP responses (#12948)
  • Security: Prevent phar metadata unserialization on unsafe PHP versions (#12946)
  • Security: Sanitize JSON parse errors in http responses to avoid leaking response body data (#12959)
  • Added warning output in self-update command when using a soon-to-be EOL version (#12920)
  • Added download retry when a GitHub codeload URL returns a 400 (#12962)
  • Fixed audit command to output the audit result to stdout (#12904)
  • Fixed backspace characters being output to non-decorated output (#12925)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)
  • Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
  • Fixed security advisory blocking causing issues with xdebug enabled (#12935)