2.3.5 - released 2022-04-13

View the release on GitHub


  • Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
  • Added warning when downloading a file with verify_peer[_name] disabled (#10722)
  • Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
  • Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
  • Fixed validate command checking the lock file even if the lock option is disabled (#10723)
  • Fixed detection of default branch name when it changed since a git repo was mirrored in cache dir (#10701)