Composer 2.9 Introduces Security Improvements and New Repository Tools
Composer 2.9 has been released, bringing automatic security blocking, new CLI tools for repository management, and several workflow enhancements for PHP developers.
A key new feature is automatic security blocking. Composer now prevents package updates that include known vulnerabilities, using advisory data by default. This behavior can be configured using the audit.block-insecure setting. Developers can also block abandoned packages via audit.block-abandoned, though it is disabled by default. This replaces the need for the roave/security-advisories package.
The update also introduces a new composer repo command, which allows users to list, add, remove, or update repositories directly from the command line. Repositories are now stored as a JSON array, improving readability and structure. Examples include composer repo add, composer repo remove, and composer repo set-url.
Composer 2.9 supports automatic recovery from simple lock file conflicts. When only the content-hash is in conflict, running composer update --lock or re-applying the update allows the tool to resolve conflicts automatically.
Additional improvements include a --minimal-changes flag for constrained updates, native support for Forgejo repositories, reduced autoloader overhead in scripts, and support for HTTP/3.
The full list of changes is available in the Composer 2.9 changelog.
ASK: Drupal Community Needs Your Support
View all →
Disclosure: This content is produced with the assistance of AI.
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
Related Organizations
Related People
You may also like
