Composer 2.10.2
Overview
Composer 2.10.2 has been released on July 1, 2026. This is a security-focused update addressing six distinct vulnerabilities while also introducing several quality-of-life improvements. All users are strongly advised to upgrade promptly.
Security Fixes
- CVE-2026-59948 — Package names are now validated to prevent injection attacks (GHSA-499r-g7pc-vmp9)
- CVE-2026-59946 — Package bin paths are now validated against path traversal (GHSA-gjfg-22fp-rrxx)
- CVE-2026-59947 — URL-embedded usernames and tokens are now sanitized in verbose output (GHSA-g6xq-892h-64w3)
- HTTP redirect safety — Composer now only follows HTTP redirects originating from HTTP responses (#12948)
- Phar metadata protection — Prevents phar metadata unserialization on unsafe PHP versions (#12946)
- JSON error sanitization — JSON parse errors in HTTP responses are sanitized to avoid leaking response body data (#12959)
New Features
- EOL warnings — The
self-updatecommand now outputs a warning when using a soon-to-be end-of-life version (#12920) - Download retries — Added automatic retry when a GitHub codeload URL returns a 400 status (#12962)
Bug Fixes
- Audit output — The
auditcommand now correctly outputs results to stdout instead of stderr (#12904) - Backspace characters — Fixed extraneous backspace characters being output to non-decorated output streams (#12925)
- Advisory blocking — Fixed security advisory blocking causing issues when xdebug is enabled (#12935)
- Provider packages — Fixed provider packages hiding suggestions for the package they provide themselves (#12933)
Full changelog available on GitHub. Upgrade with composer self-update.