Composer 2.1.9 and 1.12.23 released with security and bug fixes

Published On2021-10-05

# Composer 2.1.9 and 1.12.23 released with security and bug fixes
Composer, the PHP dependency manager released versions 2.1.9 and 1.12.23 that contain a security fix and bug fixes.

This release fixes a command-injection vulnerable that was caused by erroneous command line escaping in Windows systems. The security vulnerability is assigned CVE-2021-41116 and GHSA-frqg-7g38-6gcf.

Composer running on operating systems other than Windows are not affected. Further, Composer run on Windows Subsystem for Linux (WSL) are not affected either.

Affected Versions and Released Versions

  • Composer 1.x series: All versions prior to 1.10.22 are vulnerable. Update to Composer 1.10.22 or later.
  • Composer 2.x series: All versions prior to 2.1.9 are vulnerable. Update to Composer 2.1.9 or later.

Updating Composer

To update Composer installed on system, run:

composer self-update

Projects that use Composer versions prior to 2.1.9 (in 2.x series) and 1.12.23 (in 1.x series), and have enabled GitHub with Dependabot should start to receive a security alert in coming hours. It is not required to declare composer/composer as a dependency unless that project depends on the APIs provided by Composer; This majorly includes Composer plugins.

To update the Composer version required for a Composer plugin, update the composer/composer requirement in composer.json file.

"require": {
-  "composer/composer": "^2.0.13"
+  "composer/composer": "^2.1.9"
}

In other news on PHP.Watch

All NewsFeed
Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released with PHP 8.0

Ubuntu 21.10 — Impish Indri — to be released on Oct 14, will contain PHP 8.0 in its default software repositories.
PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes

PHP 7.3.31, 7.4.24, and 8.0.11 Released with Bug and Security Fixes

PHP versions 7.3.31, 7.4.24, and 8.0.11 are released with several bug fixes and a security fix.
Drupal 8.9.19, 9.1.13, and 9.2.6 released with several security fixes

Drupal 8.9.19, 9.1.13, and 9.2.6 released with several security fixes

Drupal 8.9, 9.1, and 9.2 series receive security updates that fix CSRF and Access Bypass vulnerabilities in JSON:API, Media, and QuickEdit modules.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.