-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Jul 2026 20:10:04 +0200
Source: composer
Architecture: source
Version: 2.10.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: David Prévot <taffit@debian.org>
Changes:
composer (2.10.2-1) unstable; urgency=medium
.
[ Jordi Boggiano ]
* Avoid deeply nested multi constraints when matching security
advisories / malware (#12935)
* Add warnings in self-update when using soon to be deprecated versions,
or when the php version is outdated (#12920)
* Only follow http(s) redirects in HTTP transports (#12947)
* Prevent phar metadata unserialization on unsafe php versions (#12945)
* Sanitize JSON parse errors in Http\Response to avoid leaking response
bodies (#12960)
* Validate resolved packages before locking (GHSA-499r-g7pc-vmp9)
* Validate package bin paths against path traversal (GHSA-gjfg-22fp-rrxx)
* Sanitize URL-embedded usernames/tokens in verbose output
(GHSA-g6xq-892h-64w3)
* Release 2.10.2
.
[ Eyüp Can Akman ]
* Avoid writing backspaces to non-decorated output (#12925)
* Don't hide a suggestion provided by the suggesting package itself (#12933)
.
[ Keerthana ]
* Fix audit output to use stdout for summary messages (#12904)
.
[ Dimas Febri ]
* Retry downloads failing with HTTP 400 on a fresh connection (#12962)
.
[ David Prévot ]
* Use relative path in autoload.php
* Use build/vendor instead of vendor for homemade autoload.php
Checksums-Sha1:
a740a99e8bbd44e31c29ded545e3bee393f08aba 2306 composer_2.10.2-1.dsc
6d9a3624355472417027884b989d2507e53a337a 778404 composer_2.10.2.orig.tar.xz
0f7506de1fb31235bdbc4e4c7cf1585097f82281 58452 composer_2.10.2-1.debian.tar.xz
2546ba84825d33fcc0c17ce80db1cfa1d1f54f31 9703 composer_2.10.2-1_amd64.buildinfo
Checksums-Sha256:
0c575e8ce2e49bf8b95df81b8aca6aaff9de65fb0e942ee1089ffff407f1b00a 2306 composer_2.10.2-1.dsc
8aa5413fa8c6a93f0d998a2496dc8e7275d91cf7186c84a4689508e1be09ffff 778404 composer_2.10.2.orig.tar.xz
2f8706c9680ad6d226ed62ba921a7d7f9130ae1d5f67062c66f568d48efeb878 58452 composer_2.10.2-1.debian.tar.xz
caa5ea1e30882f543ec7cd666a3569724d76421d60234577a5887a1094f7a5cf 9703 composer_2.10.2-1_amd64.buildinfo
Files:
f58598674cb75712bb97d35f2751129e 2306 php optional composer_2.10.2-1.dsc
9f25efa4dc9224d373687f0da91272b2 778404 php optional composer_2.10.2.orig.tar.xz
2328c6840e83b55b17a1d3024f4b7b68 58452 php optional composer_2.10.2-1.debian.tar.xz
b9c2e42d0279ee85293ef8611e548e96 9703 php optional composer_2.10.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmpJ9+USHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08fe8H/j8AlYcgT5llpIZDVOFn/1+jOK9HFvSo
4ADDOZocm20VceQy5YzVmrIvWQWQicE3hcFNiZjk8dtlVFefzQ5FnJqVxxTi0WFP
jZJAdnglxIsal+NlHlEvP/eOC1Tk0CWfKTxVt59Dl+DEXCwpzFG3uLiTz+GZPkAL
zvIsad39u9ueeYMalLqXQlZohFe+4+wrak+i3qkCJjCAxTOjD4PP0ETCDbn+WCVK
s6tVnIs+v2M3tdO/nKOU0LaxhoP4TSZHqYumlsizIMee/YqEgidqTs+g9PS+QSZS
i57uCOMaqEL3xQyOxlzEGJAAUalx5ZCMlinlEvC+f9u2BY8RkceKErU=
=lgst
-----END PGP SIGNATURE-----