2.4.0-RC1 - released 2022-07-21

View the release on GitHub

Changelog

• Added bash completions for Composer commands, package names, etc (see how to setup) (#10320)
• Added bump command to bump requirements to the currently installed version (#10829)
• Added audit command to check for known security vulnerabilities in installed packages (#10798, #10898)
• Added automatic auditing of security vulnerabilities after update is done, can be overridden with --no-audit (#10798, #10898)
• Added --audit to install command to also do an audit (#10798, #10898)
• Added r alias to require command (#10953)
• Added composer/class-map-generator dependency to replace Composer\Autoload\ClassMapGenerator which is now deprecated (#10885)
• Added --locked to depends/prohibits commands (#10834)
• Added --strict-psr flag to dump-autoload command to fail the process if PSR violations were detected, useful for CI (#10886)
• Added COMPOSER_PREFER_STABLE and COMPOSER_PREFER_LOWEST env vars to turn on --prefer-stable/--prefer-lowest on update and require command, useful for CI (#10919)
• Added support for temporary update constraints on all packages (now also including non-root dependencies) (#10773)
• Added --major-only flag to the outdated command to show only packages with major version updates (#10827)
• Added sections for direct and transitive deps in outdated command output (#10779)
• Added ability for cache GC to clean up vcs and repo caches (#10826)
• Added --gc flag to clear-cache to only trigger a garbage collection instead of clearing everything (#10826)
• Added signal (SIGINT, SIGTERM, SIGHUP) handling to ensure we wait for the child process to exit before Composer exits to avoid dropping output (#10958)
• Added prompt suggesting using --dev when requiring packages with dev/testing/static analysis keywords present (#10960)
• Added warning in require, init and create-project commands when the latest version of a package cannot be used due to platform requirements (#10896)