Update composer fork (#3)

* Include stdout as well as stderr if git stash/diff/.. fails, fixes composer#9720

* Remove version argument from why and enforce it for why-not command, refs composer#9693

* Fix compiler on Windows (composer#9730)

* Preserve file permissions on Windows self-update (composer#9733)

Windows file operations result in different file permissions depending
if the file is copied or moved. A copy operation applies permissions
from the destination folder (or file if it already exists and does not
use inheritance), while a move operation generally preserves the source
file permissions.

Windows PHP `rename` uses MoveFileEx so if the user is running as an
admin and the destination is in a common (non-user) location, then the
permission for other users will be replaced by the admin user. Likewise
for the UAC elevation feature, which uses the cmd.exe `move` command.

This fix uses copy and delete operations on Windows, so that other users
can continue to run composer.phar

* Proxy handling docs and tweaks (composer#9735)

* Fix functional tests to use the same PHP version as PHPUnit runs with

* Add support for @php <abs path to binary from PATH>, fixes composer#9726

* Fix issue extracting archives into paths that already exist, fixes composer/installers#479

* Avoid using str_replace for dev-master replacement as that may be a valid part of a branch name, fixes composer#9739

* Fix php-proxying of binaries to avoid proxying phar files, fixes composer#9742

* Make sure that single files installed via file downloader get the executable bit set if they are a binary file, refs composer#9742

* Fix var shadowing

* Fix unclear error when a package can be found in lock but not in the remote repo, fixes composer#9750

* Update release step to use php8 as it produces slightly different output wrt white-space, fixes composer#9746

* Bump phpstan to level 3 (composer#9734)

Clean up PackageInterface/CompletePackageInterface, add missing methods, type things in solver as BasePackage, added CompleteAliasPackage, ..

* Update GitHub token pattern

GitHub is updating the format of auth tokens from `a-z0-9` to `A-Za-z0-9` ([notice](https://github.blog/changelog/2021-03-04-authentication-token-format-updates/)).
I'm not sure why `.` is allowed, but I dare not to remove it. In this PR, the token validation regex is updated to allow `A-Za-z0-9` instead of the current all lower-case `a-z` and disallowed `_`.

* Document GH token usage and also make sure we redact them in Process debug output, refs composer#9757

* Remove output "summary" from fund command. Fund does not provide this type of format. (composer#9748)

* Clarify behavior of name in VCS repo, closes composer#9752

* Add --format json to search command (composer#9747)


Co-authored-by: Jordi Boggiano <j.boggiano@seld.be>

* Attempt working around Vagrant filesystem issues, added COMPOSER_RUNTIME_ENV env var (set to vagrant), fixes composer#9627

* Prefer @phpstan- annotations as that is what we run against

* Fix phpdoc

* Make full functional test output more reliable

* Create pull_request_template.md

* Only call sapi_windows_set_ctrl_handler() for CLI requests (composer#9771)

* MaxFileSizeException should reject download job (composer#9778)

* Also attempt working around Vagrant filesystem issues when installing plugins initially, refs composer#9627

* Add source package name to debug info when enabling plugins

* Add dev mode env var for scripts run (composer#9793)

Co-authored-by: Vitali Tsyrkin <vitalit@playtika.com>

* Update github token pattern to match their latest updates

* Update changelog

* Tweak virtualbox detection and improve it by detecting vbox additions, refs composer#9627

* Update changelog

* Fixed detection of hg version when localized, fixes composer#9753

* Fix type warning on php8.1, refs composer#9770

* Support --no-dev combined with --locked in outdated/show commands, fixes composer#9788

* Improve InstalledVersions docs slightly

* Fix doctype annotations

* Change root.dev-requirement to root.dev in installed.php as the root is not required per se, and this simply tracks the dev mode at install time

* Fix tests

* Make ComposerRepository::configurePackageTransportOptions() protected. (composer#9818)

* Fix doctype annotations

* Switch to composer/metadata-minifier, fixes composer#9727

* Add new dep to the tests

* Change default preferred-install to dist, add --prefer-install=auto|dist|source to allow specifying auto (composer#9603)

Fixes composer#9546
Fixes composer#9674

* Add warning when loading plugins of type composer-installer as they are unlikely to function correctly and should be upgraded to the composer-plugin type

* Fix output listing some updates that do not really happen when updating mirrors/--lock, fixes composer#9812

* Make sure update mirrors/--lock keeps the release date of the original reference when dev versions have newer commits, refs composer#9812

* Fire POST_FILE_DOWNLOAD event for metadata fetched by ComposerRepository.

* Clean stuff up and deprecate old usages for PostFileDownloadEvent

* Add repository instance to Pre/PostFileDownloadEvent metadata

* Added link to composer.org docs on ProcessTimedOutException (composer#9796)

* ComposerRepository::asyncFetchFile() does not pass the downloaded URL to PostFileDownloadEvent (composer#9827)

* Update 00-intro.md

* Upgrade to xdebug-handler 2 (composer#9832)

This adds support for Xdebug3 modes and changes the default behaviour
from always restarting if Xdebug is loaded, to only restarting if Xdebug
is active.

Xdebug is considered active if it is loaded, and for Xdebug3, if it is
running in a mode other than `xdebug.mode=off`.

* Fix source links, fixes composer#9836

* Allow PreFileDownloadEvent to carry transport options for metadata (composer#9831)

* Use jsonc highlighting

* "composer init --autoload" - Interactive generates PSR-4 autoloader in composer.json (composer#9829)

- Generates PSR-4 autoload entry in composer.json.
- Run dump-autoload, if no dependencies are set

* Fix install step at the end of init command

* Fix install step at the end of init command

* Merge pull request from GHSA-h5h8-pc6h-jvvx

* Fix external process calls to avoid user input being able to pass extra parameters

* Tweak some fixes

* Merge pull request from GHSA-h5h8-pc6h-jvvx

* Fix external process calls to avoid user input being able to pass extra parameters

* Tweak some fixes

* Update changelog

* Update changelog

* Add basic source/dist validation

* Allow ints in source/dist reference

* Also make sure type is correct for preg_match

* BinaryInstaller: install full binaries on WSL when bin-compat=auto (composer#9855)

* Hint at a branch rename if we detect dev-master can not be found but dev-main or dev-default exists, fixes composer#9850

* Also condense dev-* versions if there are many, refs composer#9850

* Introduce a cross-platform safe version of is_readable to support UNC / wsl$ paths on Windows (composer#9861)

* Fix handling of inline-update-constraints with refs or stability flags, fixes composer#9847

* Link to GitLab documentation for auth (composer#9833)



Co-authored-by: Jordi Boggiano <j.boggiano@seld.be>

* Avoid leaving the event stack in a dirty state if an event listener throws, fixes composer#9846

* Fix invalid interface usage

* Fix type issues with root package interface

* Also handle throwable on supported php versions

* Fix EOL of text files (composer#9877)

* Fix update fork changes

* Add skipping svn downloader

* Revert skipping in svn downloader

Co-authored-by: Jordi Boggiano <j.boggiano@seld.be>
Co-authored-by: Nils Adermann <naderman@naderman.de>
Co-authored-by: John Stevenson <john-stevenson@blueyonder.co.uk>
Co-authored-by: Ayesh Karunaratne <ayesh@aye.sh>
Co-authored-by: ochorocho <jochen.roth@b13.com>
Co-authored-by: Brandon Kelly <brandon@pixelandtonic.com>
Co-authored-by: Stephan <glaubinix@users.noreply.github.com>
Co-authored-by: vitman <vitalyhome@tut.by>
Co-authored-by: Vitali Tsyrkin <vitalit@playtika.com>
Co-authored-by: Adam <adam@phenaproxima.net>
Co-authored-by: Markus Staab <markus.staab@redaxo.de>
Co-authored-by: Antoine Makdessi <amakdessi@me.com>
Co-authored-by: Andreas Scheibel <contact@camya.com>
Co-authored-by: Markus Staab <47448731+clxmstaab@users.noreply.github.com>
Co-authored-by: timrizzi <tim.rizzi@gmail.com>
Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz>

.github/pull_request_template.md

@@ -0,0 +1,5 @@
+<!-- Please remember to select the appropriate branch:
+
+For bug or doc fixes pick the oldest branch where the bugfix applies (2.0 typically, or 1.10 if it is a critical fix that should be fixed in Composer 1) 
+
+For new features and everything else, use the master branch. -->

.github/workflows/phpstan.yml

@@ -52,5 +52,5 @@ jobs:
       - name: Run PHPStan
         # Locked to phpunit 7.5 here as newer ones have void return types which break inheritance
         run: |
-          bin/composer require --dev phpstan/phpstan:^0.12.69 phpunit/phpunit:^7.5.20 --with-all-dependencies ${{ env.COMPOSER_FLAGS }}
+          bin/composer require --dev phpstan/phpstan:^0.12.69 phpstan/phpstan-phpunit:^0.12.17 phpunit/phpunit:^7.5.20 --with-all-dependencies ${{ env.COMPOSER_FLAGS }}
           vendor/bin/phpstan analyse --configuration=phpstan/config.neon

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
           coverage: "none"
           extensions: "intl"
           ini-values: "memory_limit=-1"
-          php-version: "7.4"
+          php-version: "8.0"
 
       - name: "Install dependencies from composer.lock using composer binary provided by system"
         run: "composer install ${{ env.COMPOSER_FLAGS }}"

.gitignore

@@ -8,4 +8,4 @@ phpunit.xml
 .vagrant
 Vagrantfile
 .idea
-.php_cs.cache
+.php_cs.cache

CHANGELOG.md

@@ -1,3 +1,23 @@
+### [2.0.13] 2021-04-27
+
+  * Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)
+  * Fixed install step at the end of the init command to take new dependencies into account correctly
+  * Fixed `update --lock` listing updates which were not really happening (#9812)
+  * Fixed support for --no-dev combined with --locked in outdated and show commands (#9788)
+
+### [2.0.12] 2021-04-01
+
+  * Fixed support for new GitHub OAuth token format (#9757)
+  * Fixed support for Vagrant/VirtualBox filesystem slowness by adding short sleeps in some places (#9627)
+  * Fixed unclear error reporting when a package is in the lock file but not in the remote repositories (#9750)
+  * Fixed processes silently ignoring the CWD when it does not exist
+  * Fixed new Windows bin handling to avoid proxying phar files (#9742)
+  * Fixed issue extracting archives into paths that already exist, fixing problems with some custom installers (composer/installers#479)
+  * Fixed support for branch names starting with master/trunk/default (#9739)
+  * Fixed self-update to preserve phar file permissions on Windows (#9733)
+  * Fixed detection of hg version when localized (#9753)
+  * Fixed git execution failures to also include the stdout output (#9720)
+
 ### [2.0.11] 2021-02-24
 
   * Reverted "Fixed runtime autoloader registration (for plugins and script handlers) to prefer the project dependencies over the bundled Composer ones" as it caused more problems than expected
@@ -183,6 +203,15 @@
   * Fixed suggest output being very spammy, it now is only one line long and shows more rarely
   * Fixed conflict rules like e.g. >=5 from matching dev-master, as it is not normalized to 9999999-dev internally anymore
 
+### [1.10.22] 2021-04-27
+
+  * Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)
+
+### [1.10.21] 2021-04-01
+
+  * Fixed support for new GitHub OAuth token format
+  * Fixed processes silently ignoring the CWD when it does not exist
+
 ### [1.10.20] 2021-01-27
 
   * Fixed exclude-from-classmap causing regex issues when having too many paths
@@ -1114,6 +1143,8 @@
 
   * Initial release
 
+[2.0.13]: https://github.com/composer/composer/compare/2.0.12...2.0.13
+[2.0.12]: https://github.com/composer/composer/compare/2.0.11...2.0.12
 [2.0.11]: https://github.com/composer/composer/compare/2.0.10...2.0.11
 [2.0.10]: https://github.com/composer/composer/compare/2.0.9...2.0.10
 [2.0.9]: https://github.com/composer/composer/compare/2.0.8...2.0.9
@@ -1131,6 +1162,8 @@
 [2.0.0-alpha3]: https://github.com/composer/composer/compare/2.0.0-alpha2...2.0.0-alpha3
 [2.0.0-alpha2]: https://github.com/composer/composer/compare/2.0.0-alpha1...2.0.0-alpha2
 [2.0.0-alpha1]: https://github.com/composer/composer/compare/1.10.7...2.0.0-alpha1
+[1.10.22]: https://github.com/composer/composer/compare/1.10.21...1.10.22
+[1.10.21]: https://github.com/composer/composer/compare/1.10.20...1.10.21
 [1.10.20]: https://github.com/composer/composer/compare/1.10.19...1.10.20
 [1.10.19]: https://github.com/composer/composer/compare/1.10.18...1.10.19
 [1.10.18]: https://github.com/composer/composer/compare/1.10.17...1.10.18

bin/composer

@@ -14,7 +14,7 @@ use Composer\XdebugHandler\XdebugHandler;
 error_reporting(-1);
 
 // Restart without Xdebug
-$xdebug = new XdebugHandler('Composer', '--ansi');
+$xdebug = new XdebugHandler('Composer');
 $xdebug->check();
 unset($xdebug);
 

composer.json

@@ -24,9 +24,10 @@
     "require": {
         "php": "^5.3.2 || ^7.0 || ^8.0",
         "composer/ca-bundle": "^1.0",
+        "composer/metadata-minifier": "^1.0",
         "composer/semver": "^3.0",
         "composer/spdx-licenses": "^1.2",
-        "composer/xdebug-handler": "^1.1",
+        "composer/xdebug-handler": "^2.0",
         "justinrainbow/json-schema": "^5.2.10",
         "psr/log": "^1.0",
         "seld/jsonlint": "^1.4",

doc/00-intro.md

@@ -155,7 +155,7 @@ Close your current terminal. Test usage with a new terminal:
 
 ```sh
 C:\Users\username>composer -V
-Composer version 1.0.0 2016-01-10 20:34:53
+Composer version 2.0.12 2021-04-01 10:14:59
 ```
 
 ## Using Composer

doc/03-cli.md

@@ -65,6 +65,7 @@ php composer.phar init
   the list of requires. Every repository can be either an HTTP URL pointing
   to a `composer` repository or a JSON string which similar to what the
   [repositories](04-schema.md#repositories) key accepts.
+* **--autoload (-a):** Add a PSR-4 autoload mapping to the composer.json. Automatically maps your package's namespace to the provided directory. (Expects a relative path, e.g. src/) See also [PSR-4 autoload](04-schema.md#psr-4).
 
 ## install / i
 
@@ -84,17 +85,14 @@ resolution.
 
 ### Options
 
-* **--prefer-source:** There are two ways of downloading a package: `source`
-  and `dist`. For stable versions Composer will use the `dist` by default.
-  The `source` is a version control repository. If `--prefer-source` is
-  enabled, Composer will install from `source` if there is one. This is
-  useful if you want to make a bugfix to a project and get a local git
-  clone of the dependency directly.
-* **--prefer-dist:** Reverse of `--prefer-source`, Composer will install
-  from `dist` if possible. This can speed up installs substantially on build
-  servers and other use cases where you typically do not run updates of the
-  vendors. It is also a way to circumvent problems with git if you do not
-  have a proper setup.
+* **--prefer-install:** There are two ways of downloading a package: `source`
+  and `dist`. Composer uses `dist` by default. If you pass
+  `--prefer-install=source` (or `--prefer-source`) Composer will install from
+  `source` if there is one. This is useful if you want to make a bugfix to a
+  project and get a local git clone of the dependency directly.
+  To get the legacy behavior where Composer use `source` automatically for dev
+  versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](06-config.md#preferred-install).
+  Passing this flag will override the config value.
 * **--dry-run:** If you want to run through an installation without actually
   installing a package, you can use `--dry-run`. This will simulate the
   installation and show you what would happen.
@@ -169,8 +167,14 @@ php composer.phar update vendor/package:2.0.1 vendor/package2:3.0.*
 
 ### Options
 
-* **--prefer-source:** Install packages from `source` when available.
-* **--prefer-dist:** Install packages from `dist` when available.
+* **--prefer-install:** There are two ways of downloading a package: `source`
+  and `dist`. Composer uses `dist` by default. If you pass
+  `--prefer-install=source` (or `--prefer-source`) Composer will install from
+  `source` if there is one. This is useful if you want to make a bugfix to a
+  project and get a local git clone of the dependency directly.
+  To get the legacy behavior where Composer use `source` automatically for dev
+  versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](06-config.md#preferred-install).
+  Passing this flag will override the config value.
 * **--dry-run:** Simulate the command without actually doing anything.
 * **--dev:** Install packages listed in `require-dev` (this is the default behavior).
 * **--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules.
@@ -232,8 +236,14 @@ If you do not specify a package, composer will prompt you to search for a packag
 
 * **--dev:** Add packages to `require-dev`.
 * **--dry-run:** Simulate the command without actually doing anything.
-* **--prefer-source:** Install packages from `source` when available.
-* **--prefer-dist:** Install packages from `dist` when available.
+* **--prefer-install:** There are two ways of downloading a package: `source`
+  and `dist`. Composer uses `dist` by default. If you pass
+  `--prefer-install=source` (or `--prefer-source`) Composer will install from
+  `source` if there is one. This is useful if you want to make a bugfix to a
+  project and get a local git clone of the dependency directly.
+  To get the legacy behavior where Composer use `source` automatically for dev
+  versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](06-config.md#preferred-install).
+  Passing this flag will override the config value.
 * **--no-progress:** Removes the progress display that can mess with some
   terminals or scripts which don't handle backspace characters.
 * **--no-update:** Disables the automatic update of the dependencies (implies --no-install).
@@ -359,6 +369,11 @@ You can also search for more than one term by passing multiple arguments.
 
 * **--only-name (-N):** Search only in name.
 * **--type (-t):** Search for a specific package type.
+* **--format (-f):** Lets you pick between text (default) or json output format.
+  Note that in the json, only the name and description keys are guaranteed to be
+  present. The rest (`url`, `repository`, `downloads` and `favers`) are available
+  for Packagist.org search results and other repositories may return more or less
+  data.
 
 ## show
 
@@ -485,7 +500,7 @@ get machine-readable output.
 
 ### Options
 
-* **--format:** Format of the output: text, json or summary (default: "text")
+* **--format (-f):** Lets you pick between text (default) or json output format.
 
 ## depends (why)
 
@@ -740,8 +755,14 @@ By default the command checks for the packages on packagist.org.
 ### Options
 
 * **--stability (-s):** Minimum stability of package. Defaults to `stable`.
-* **--prefer-source:** Install packages from `source` when available.
-* **--prefer-dist:** Install packages from `dist` when available.
+* **--prefer-install:** There are two ways of downloading a package: `source`
+  and `dist`. Composer uses `dist` by default. If you pass
+  `--prefer-install=source` (or `--prefer-source`) Composer will install from
+  `source` if there is one. This is useful if you want to make a bugfix to a
+  project and get a local git clone of the dependency directly.
+  To get the legacy behavior where Composer use `source` automatically for dev
+  versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](06-config.md#preferred-install).
+  Passing this flag will override the config value.
 * **--repository:** Provide a custom repository to search for the package,
   which will be used instead of packagist. Can be either an HTTP URL pointing
   to a `composer` repository, a path to a local `packages.json` file, or a
@@ -1004,6 +1025,15 @@ cannot be guessed from VCS info and is not present in `composer.json`.
 By setting this var you can make Composer install the dependencies into a
 directory other than `vendor`.
 
+### COMPOSER_RUNTIME_ENV
+
+This lets you hint under which environment Composer is running, which can help Composer
+work around some environment specific issues. The only value currently supported is
+`virtualbox`, which then enables some short `sleep()` calls to wait for the filesystem
+to have written files properly before we attempt reading them. You can set the
+environment variable if you use Vagrant or VirtualBox and experience issues with files not
+being found during installation even though they should be present.
+
 ### http_proxy or HTTP_PROXY
 
 If you are using Composer from behind an HTTP proxy, you can use the standard

doc/06-config.md

@@ -31,7 +31,7 @@ in the PHP include path.
 
 ## preferred-install
 
-Defaults to `auto` and can be any of `source`, `dist` or `auto`. This option
+Defaults to `dist` and can be any of `source`, `dist` or `auto`. This option
 allows you to set the install method Composer will prefer to use. Can
 optionally be a hash of patterns for more granular install preferences.
 
@@ -48,6 +48,16 @@ optionally be a hash of patterns for more granular install preferences.
 }
 ```
 
+- `source` means Composer will install packages from their `source` if there
+  is one. This is typically a git clone or equivalent checkout of the version
+  control system the package uses. This is useful if you want to make a bugfix
+  to a project and get a local git clone of the dependency directly.
+- `auto` is the legacy behavior where Composer uses `source` automatically
+  for dev versions, and `dist` otherwise.
+- `dist` (the default as of Composer 2.1) means Composer installs from `dist`,
+  where possible. This is typically a zip file download, which is faster than
+  cloning the entire repository.
+
 > **Note:** Order matters. More specific patterns should be earlier than
 > more relaxed patterns. When mixing the string notation with the hash
 > configuration in global and package configurations the string notation