Bump composer/composer from 2.8.6 to 2.9.4

[dependabot]

Bumps composer/composer from 2.8.6 to 2.9.4.

Release notes

Sourced from composer/composer's releases.

2.9.4

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: composer/composer@2.9.3...2.9.4

2.9.3

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

Full Changelog: composer/composer@2.9.2...2.9.3

2.9.2

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

Full Changelog: composer/composer@2.9.1...2.9.2

2.9.1

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

Full Changelog: composer/composer@2.9.0...2.9.1

2.9.0

Read the Composer 2.9 Release Announcement for more details on the release highlights.

Full Changelog

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.9.4] 2026-01-22

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

[2.9.3] 2025-12-30

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

[2.9.2] 2025-11-19

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

[2.9.1] 2025-11-13

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

[2.9.0] 2025-11-13

• Fixed a couple minor issues with --bump-after-update (#12598)
• Various docs fixes

[2.9.0-RC1] 2025-11-07

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)

... (truncated)

Commits

• d422515 Release 2.9.4
• b58382c Update changelog
• 4fa255c Work around issue with msys/rmdir on windows (#12726)
• 0d661fb Fix phpstan build
• 6c886b4 Update deps
• 06d6507 Bump actions/cache from 5.0.1 to 5.0.2 (#12724)
• fa88b8a Fix php scripts outputting even tho they should not in script alias command, ...
• 5a6a11f Make sure COMPOSER_DEV_MODE is set correctly for script alias command runs
• 4243404 Fix detection of initial working directory when using relative paths with -d
• be033a8 Sanitize invalid unicode sequences into question marks to avoid preg errors (...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #685.