### [1.0.3] - 2016-04-29 * Security: Fixed possible command injection from the env vars into our sudo detection * Fixed interactive authentication with gitlab * Fixed class name replacement in plugins * Fixed classmap generation mistakenly detecting anonymous classes * Fixed auto-detection of stability flags in complex constraints like `2.0-dev || ^1.5` * Fixed content-length handling when redirecting to very small responses ### [1.0.2] - 2016-04-21 * Fixed regression in 1.0.1 on systems with mbstring.func_overload enabled * Fixed regression in 1.0.1 that made dev packages update to the latest reference even if not whitelisted in a partial update * Fixed init command ignoring the COMPOSER env var for choosing the json file name * Fixed error reporting bug when the dependency resolution fails * Fixed handling of `$` sign in composer config command in some cases it could corrupt the json file ### [1.0.1] - 2016-04-18 * Fixed URL updating when a package's URL changes, composer.lock now contains the right URL including correct reference * Fixed URL updating of the origin git remote as well for packages installed as git clone * Fixed binary .bat files generated from linux being incompatible with windows cmd * Fixed handling of paths with trailing slashes in path repository * Fixed create-project not using platform config when selecting a package * Fixed self-update not showing the channel it uses to perform the update * Fixed file downloads not failing loudly when the content does not match the Content-Length header * Fixed secure-http detecting some malformed URLs as insecure * Updated CA bundle ### [1.0.0] - 2016-04-05 * Added support for bitbucket-oauth configuration * Added warning when running composer as super user, set COMPOSER_ALLOW_SUPERUSER=1 to hide the warning if you really must * Added PluginManager::getGlobalComposer getter to retrieve the global instance (which can be null!) * Fixed dependency solver error reporting in many cases it now shows you proper errors instead of just saying a package does not exist * Fixed output of failed downloads appearing as 100% done instead of Failed * Fixed handling of empty directories when archiving, they are not skipped anymore * Fixed installation of broken plugins corrupting the vendor state when combined with symlinked path repositories ### [1.0.0-beta2] - 2016-03-27 * Break: The `install` command now turns into an `update` command automatically if you have no composer.lock. This was done only half-way before which caused inconsistencies * Break: By default the `remove` command now removes dependencies as well, and --update-with-dependencies is deprecated. Use --no-update-with-dependencies to get old behavior * Added support for update channels in `self-update`. All users will now update to stable builds by default. Run `self-update` with `--snapshot`, `--preview` or `--stable` to switch between update channels. * Added support for SSL_CERT_DIR env var and openssl.capath ini value * Added some conflict detection in `why-not` command * Added suggestion of root package's suggests in `create-project` command * Fixed `create-project` ignoring --ignore-platform-reqs when choosing a version of the package * Fixed `search` command in a directory without composer.json * Fixed path repository handling of symlinks on windows * Fixed PEAR repo handling to prefer HTTPS mirrors over HTTP ones * Fixed handling of Path env var on Windows, only PATH was accepted before * Small error reporting and docs improvements ### [1.0.0-beta1] - 2016-03-03 * Break: By default we now disable any non-secure protocols (http, git, svn). This may lead to issues if you rely on those. See `secure-http` config option. * Break: `show` / `list` command now only show installed packages by default. An `--all` option is added to show all packages. * Added VCS repo support for the GitLab API, see also `gitlab-oauth` and `gitlab-domains` config options * Added `prohibits` / `why-not` command to show what blocks an upgrade to a given package:version pair * Added --tree / -t to the `show` command to see all your installed packages in a tree view * Added --interactive / -i to the `update` command, which lets you pick packages to update interactively * Added `exec` command to run binaries while having bin-dir in the PATH for convenience * Added --root-reqs to the `update` command to update only your direct, first degree dependencies * Added `cafile` and `capath` config options to control HTTPS certificate authority * Added pubkey verification of composer.phar when running self-update * Added possibility to configure per-package `preferred-install` types for more flexibility between prefer-source and prefer-dist * Added unpushed-changes detection when updating dependencies and in the `status` command * Added COMPOSER_AUTH env var that lets you pass a json configuration like the auth.json file * Added `secure-http` and `disable-tls` config options to control HTTPS/HTTP * Added warning when Xdebug is enabled as it reduces performance quite a bit, hide it with COMPOSER_DISABLE_XDEBUG_WARN=1 if you must * Added duplicate key detection when loading composer.json * Added `sort-packages` config option to force sorting of the requirements when using the `require` command * Added support for the XDG Base Directory spec on linux * Added XzDownloader for xz file support * Fixed SSL support to fully verify peers in all PHP versions, unsecure HTTP is also disabled by default * Fixed stashing and cleaning up of untracked files when updating packages * Fixed plugins being enabled after installation even when --no-plugins * Many small bug fixes and additions ### [1.0.0-alpha11] - 2015-11-14 * Added config.platform to let you specify what your target environment looks like and make sure you do not inadvertently install dependencies that would break it * Added `exclude-from-classmap` in the autoload config that lets you ignore sub-paths of classmapped directories, or psr-0/4 directories when building optimized autoloaders * Added `path` repository type to install/symlink packages from local paths * Added possibility to reference script handlers from within other handlers using @script-name to reduce duplication * Added `suggests` command to show what packages are suggested, use -v to see more details * Added `content-hash` inside the composer.lock to restrict the warnings about outdated lock file to some specific changes in the composer.json file * Added `archive-format` and `archive-dir` config options to specify default values for the archive command * Added --classmap-authoritative to `install`, `update`, `require`, `remove` and `dump-autoload` commands, forcing the optimized classmap to be authoritative * Added -A / --with-dependencies to the `validate` command to allow validating all your dependencies recursively * Added --strict to the `validate` command to treat any warning as an error that then returns a non-zero exit code * Added a dependency on composer/semver, which is the externalized lib for all the version constraints parsing and handling * Added support for classmap autoloading to load plugin classes and script handlers * Added `bin-compat` config option that if set to `full` will create .bat proxy for binaries even if Composer runs in a linux VM * Added SPDX 2.0 support, and externalized that in a composer/spdx-licenses lib * Added warnings when the classmap autoloader finds duplicate classes * Added --file to the `archive` command to choose the filename * Added Ctrl+C handling in create-project to cancel the operation cleanly * Fixed version guessing to use ^ always, default to stable versions, and avoid versions that require a higher php version than you have * Fixed the lock file switching back and forth between old and new URL when a package URL is changed and many people run updates * Fixed partial updates updating things they shouldn't when the current vendor dir was out of date with the lock file * Fixed PHAR file creation to be more reproducible and always generate the exact same phar file from a given source * Fixed issue when checking out git branches or tags that are also the name of a file in the repo * Many minor fixes and documentation additions and UX improvements ### [1.0.0-alpha10] - 2015-04-14 * Break: The following event classes are deprecated and you should update your script handlers to use the new ones in type hints: - `Composer\Script\CommandEvent` is deprecated, use `Composer\Script\Event` - `Composer\Script\PackageEvent` is deprecated, use `Composer\Installer\PackageEvent` * Break: Output is now split between stdout and stderr. Any irrelevant output to each command is on stderr as per unix best practices. * Added support for npm-style semver operators (`^` and `-` ranges, ` ` = AND, `||` = OR) * Added --prefer-lowest to `update` command to allow testing a package with the lowest declared dependencies * Added support for parsing semver build metadata `+anything` at the end of versions * Added --sort-packages option to `require` command for sorting dependencies * Added --no-autoloader to `install` and `update` commands to skip autoload generation * Added --list to `run-script` command to see available scripts * Added --absolute to `config` command to get back absolute paths * Added `classmap-authoritative` config option, if enabled only the classmap info will be used by the composer autoloader * Added support for branch-alias on numeric branches * Added support for the `https_proxy`/`HTTPS_PROXY` env vars used only for https URLs * Added support for using real composer repos as local paths in `create-project` command * Added --no-dev to `licenses` command * Added support for PHP 7.0 nightly builds * Fixed detection of stability when parsing multiple constraints * Fixed installs from lock file containing updated composer.json requirement * Fixed the autoloader suffix in vendor/autoload.php changing in every build * Many minor fixes, documentation additions and UX improvements ### [1.0.0-alpha9] - 2014-12-07 * Added `remove` command to do the reverse of `require` * Added --ignore-platform-reqs to `install`/`update` commands to install even if you are missing a php extension or have an invalid php version * Added a warning when abandoned packages are being installed * Added auto-selection of the version constraint in the `require` command, which can now be used simply as `composer require foo/bar` * Added ability to define custom composer commands using scripts * Added `browse` command to open a browser to the given package's repo URL (or homepage with `-H`) * Added an `autoload-dev` section to declare dev-only autoload rules + a --no-dev flag to dump-autoload * Added an `auth.json` file, with `store-auths` config option * Added a `http-basic` config option to store login/pwds to hosts * Added failover to source/dist and vice-versa in case a download method fails * Added --path (-P) flag to the show command to see the install path of packages * Added --update-with-dependencies and --update-no-dev flags to the require command * Added `optimize-autoloader` config option to force the `-o` flag from the config * Added `clear-cache` command * Added a GzipDownloader to download single gzipped files * Added `ssh` support in the `github-protocols` config option * Added `pre-dependencies-solving` and `post-dependencies-solving` events * Added `pre-archive-cmd` and `post-archive-cmd` script events to the `archive` command * Added a `no-api` flag to GitHub VCS repos to skip the API but still get zip downloads * Added http-basic auth support for private git repos not on github * Added support for autoloading `.hh` files when running HHVM * Added support for PHP 5.6 * Added support for OTP auth when retrieving a GitHub API key * Fixed isolation of `files` autoloaded scripts to ensure they can not affect anything * Improved performance of solving dependencies * Improved SVN and Perforce support * A boatload of minor fixes, documentation additions and UX improvements ### [1.0.0-alpha8] - 2014-01-06 * Break: The `install` command now has --dev enabled by default. --no-dev can be used to install without dev requirements * Added `composer-plugin` package type to allow extensibility, and deprecated `composer-installer` * Added `psr-4` autoloading support and deprecated `target-dir` since it is a better alternative * Added --no-plugins flag to replace --no-custom-installers where available * Added `global` command to operate Composer in a user-global directory * Added `licenses` command to list the license of all your dependencies * Added `pre-status-cmd` and `post-status-cmd` script events to the `status` command * Added `post-root-package-install` and `post-create-project-cmd` script events to the `create-project` command * Added `pre-autoload-dump` script event * Added --rollback flag to self-update * Added --no-install flag to create-project to skip installing the dependencies * Added a `hhvm` platform package to require Facebook's HHVM implementation of PHP * Added `github-domains` config option to allow using GitHub Enterprise with Composer's GitHub support * Added `prepend-autoloader` config option to allow appending Composer's autoloader instead of the default prepend behavior * Added Perforce support to the VCS repository * Added a vendor/composer/autoload_files.php file that lists all files being included by the files autoloader * Added support for the `no_proxy` env var and other proxy support improvements * Added many robustness tweaks to make sure zip downloads work more consistently and corrupted caches are invalidated * Added the release date to `composer -V` output * Added `autoloader-suffix` config option to allow overriding the randomly generated autoloader class suffix * Fixed BitBucket API usage * Fixed parsing of inferred stability flags that are more stable than the minimum stability * Fixed installation order of plugins/custom installers * Fixed tilde and wildcard version constraints to be more intuitive regarding stabilities * Fixed handling of target-dir changes when updating packages * Improved performance of the class loader * Improved memory usage and performance of solving dependencies * Tons of minor bug fixes and improvements ### [1.0.0-alpha7] - 2013-05-04 * Break: For forward compatibility, you should change your deployment scripts to run `composer install --no-dev`. The install command will install dev dependencies by default starting in the next release * Break: The `update` command now has --dev enabled by default. --no-dev can be used to update without dev requirements, but it will create an incomplete lock file and is discouraged * Break: Removed support for lock files created before 2012-09-15 due to their outdated unusable format * Added `prefer-stable` flag to pick stable packages over unstable ones when possible * Added `preferred-install` config option to always enable --prefer-source or --prefer-dist * Added `diagnose` command to to system/network checks and find common problems * Added wildcard support in the update whitelist, e.g. to update all packages of a vendor do `composer update vendor/*` * Added `archive` command to archive the current directory or a given package * Added `run-script` command to manually trigger scripts * Added `proprietary` as valid license identifier for non-free code * Added a `php-64bit` platform package that you can require to force a 64bit php * Added a `lib-ICU` platform package * Added a new official package type `project` for project-bootstrapping packages * Added zip/dist local cache to speed up repetitive installations * Added `post-autoload-dump` script event * Added `Event::getDevMode` to let script handlers know if dev requirements are being installed * Added `discard-changes` config option to control the default behavior when updating "dirty" dependencies * Added `use-include-path` config option to make the autoloader look for files in the include path too * Added `cache-ttl`, `cache-files-ttl` and `cache-files-maxsize` config option * Added `cache-dir`, `cache-files-dir`, `cache-repo-dir` and `cache-vcs-dir` config option * Added support for using http(s) authentication to non-github repos * Added support for using multiple autoloaders at once (e.g. PHPUnit + application both using Composer autoloader) * Added support for .inc files for classmap autoloading (legacy support, do not do this on new projects!) * Added support for version constraints in show command, e.g. `composer show monolog/monolog 1.4.*` * Added support for svn repositories containing packages in a deeper path (see package-path option) * Added an `artifact` repository to scan a directory containing zipped packages * Added --no-dev flag to `install` and `update` commands * Added --stability (-s) flag to create-project to lower the required stability * Added --no-progress to `install` and `update` to hide the progress indicators * Added --available (-a) flag to the `show` command to display only available packages * Added --name-only (-N) flag to the `show` command to show only package names (one per line, no formatting) * Added --optimize-autoloader (-o) flag to optimize the autoloader from the `install` and `update` commands * Added -vv and -vvv flags to get more verbose output, can be useful to debug some issues * Added COMPOSER_NO_INTERACTION env var to do the equivalent of --no-interaction (should be set on build boxes, CI, PaaS) * Added PHP 5.2 compatibility to the autoloader configuration files so they can be used to configure another autoloader * Fixed handling of platform requirements of the root package when installing from lock * Fixed handling of require-dev dependencies * Fixed handling of unstable packages that should be downgraded to stable packages when updating to new version constraints * Fixed parsing of the `~` operator combined with unstable versions * Fixed the `require` command corrupting the json if the new requirement was invalid * Fixed support of aliases used together with `#` constraints * Improved output of dependency solver problems by grouping versions of a package together * Improved performance of classmap generation * Improved mercurial support in various places * Improved lock file format to minimize unnecessary diffs * Improved the `config` command to support all options * Improved the coverage of the `validate` command * Tons of minor bug fixes and improvements ### [1.0.0-alpha6] - 2012-10-23 * Schema: Added ability to pass additional options to repositories (i.e. ssh keys/client certificates to secure private repos) * Schema: Added a new `~` operator that should be preferred over `>=`, see http://getcomposer.org/doc/01-basic-usage.md#package-versions * Schema: Version constraints `` flags in require for restricting packages to a certain stability * Schema: Removed `recommend` * Schema: `suggest` is now informational and can use any description for a package, not only a constraint * Break: vendor/.composer/autoload.php has been moved to vendor/autoload.php, other files are now in vendor/composer/ * Added caching of repository metadata (faster startup times & failover if packagist is down) * Added removal of packages that are not needed anymore * Added include_path support for legacy projects that are full of require_once statements * Added installation notifications API to allow better statistics on Composer repositories * Added support for proxies that require authentication * Added support for private github repositories over https * Added autoloading support for root packages that use target-dir * Added awareness of the root package presence and support for it's provide/replace/conflict keys * Added IOInterface::isDecorated to test for colored output support * Added validation of licenses based on the [SPDX registry](http://www.spdx.org/licenses/) * Improved repository protocol to have large cacheable parts * Fixed various bugs relating to package aliasing, proxy configuration, binaries * Various bug fixes and docs improvements ### [1.0.0-alpha2] - 2012-04-03 * Added `create-project` command to install a project from scratch with composer * Added automated `classmap` autoloading support for non-PSR-0 compliant projects * Added human readable error reporting when deps can not be solved * Added support for private GitHub and SVN repositories (use --no-interaction for CI) * Added "file" downloader type to download plain files * Added support for authentication with svn repositories * Added autoload support for PEAR repositories * Improved clones from GitHub which now automatically select between git/https/http protocols * Improved `validate` command to give more feedback * Improved the `search` & `show` commands output * Removed dependency on filter_var * Various robustness & error handling improvements, docs fixes and more bug fixes ### 1.0.0-alpha1 - 2012-03-01 * Initial release [1.0.3]: https://github.com/composer/composer/compare/1.0.2...1.0.3 [1.0.2]: https://github.com/composer/composer/compare/1.0.1...1.0.2 [1.0.1]: https://github.com/composer/composer/compare/1.0.0...1.0.1 [1.0.0]: https://github.com/composer/composer/compare/1.0.0-beta2...1.0.0 [1.0.0-beta2]: https://github.com/composer/composer/compare/1.0.0-beta1...1.0.0-beta2 [1.0.0-beta1]: https://github.com/composer/composer/compare/1.0.0-alpha11...1.0.0-beta1 [1.0.0-alpha11]: https://github.com/composer/composer/compare/1.0.0-alpha10...1.0.0-alpha11 [1.0.0-alpha10]: https://github.com/composer/composer/compare/1.0.0-alpha9...1.0.0-alpha10 [1.0.0-alpha9]: https://github.com/composer/composer/compare/1.0.0-alpha8...1.0.0-alpha9 [1.0.0-alpha8]: https://github.com/composer/composer/compare/1.0.0-alpha7...1.0.0-alpha8 [1.0.0-alpha7]: https://github.com/composer/composer/compare/1.0.0-alpha6...1.0.0-alpha7 [1.0.0-alpha6]: https://github.com/composer/composer/compare/1.0.0-alpha5...1.0.0-alpha6 [1.0.0-alpha5]: https://github.com/composer/composer/compare/1.0.0-alpha4...1.0.0-alpha5 [1.0.0-alpha4]: https://github.com/composer/composer/compare/1.0.0-alpha3...1.0.0-alpha4 [1.0.0-alpha3]: https://github.com/composer/composer/compare/1.0.0-alpha2...1.0.0-alpha3 [1.0.0-alpha2]: https://github.com/composer/composer/compare/1.0.0-alpha1...1.0.0-alpha2