Composer Patches 2.0.0 Launches with Lock File, Git Patching, and Plugin API

This major update introduces a new patches.lock.json file that ensures reproducible builds by recording patch definitions and SHA-256 checksums. Every patch applied is now locked and validated, offering stronger consistency for development teams and CI environments.

The plugin now uses git apply instead of the traditional patch command, avoiding issues caused by OS-level inconsistencies. Even for packages not cloned from Git, the plugin will initialize a Git repo to enable uniform patching behavior.

Composer Patches also debuts a plugin API through Composer capabilities, enabling third-party tools to extend patch resolution, downloading, and application workflows. The system now emits lifecycle events, allowing developers to hook into custom logic.

Improved Composer integration brings support for HTTP proxies, honors the secure-http flag, and adjusts behavior when alternate composer.json files are used. The once-removed dependency patch resolution feature has been restored after community feedback.

Comprehensive new documentation is available at docs.cweagans.net, covering patch definitions, workflows, and upgrade guidance from the 1.x series.