2.9.3 - released 2025-12-30

Changelog

Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
Fixed client-certificate authentication implementation (#12667)
Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
Fixed support for SecureTransport + LibreSSL on macOS (#12615)
Fixed display of reasons for why advisories are ignored (#12668)
Fixed compatibility issues when git has log.showSignature enabled (#12666)
Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
Fixed EventDispatcher requiring a full Composer instance to function (#12629)