2.9.6 - released 2026-04-14
View the release on GitHub
Changelog
- Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
- Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
- Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
- Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
- Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
- Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with
- do not cause issues (6621d45, d836b90, 5e08c764)
- Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
- Fixed GitHub API authentication errors not being visible to the user (#12737)
- Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
- Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
Home