Skip to main content

Composer 2.10.2

Release Date: July 1, 2026

Overview

Composer 2.10.2 has been released on July 1, 2026. This is a security-focused update addressing six distinct vulnerabilities while also introducing several quality-of-life improvements. All users are strongly advised to upgrade promptly.

Security Fixes

  • CVE-2026-59948 — Package names are now validated to prevent injection attacks (GHSA-499r-g7pc-vmp9)
  • CVE-2026-59946 — Package bin paths are now validated against path traversal (GHSA-gjfg-22fp-rrxx)
  • CVE-2026-59947 — URL-embedded usernames and tokens are now sanitized in verbose output (GHSA-g6xq-892h-64w3)
  • HTTP redirect safety — Composer now only follows HTTP redirects originating from HTTP responses (#12948)
  • Phar metadata protection — Prevents phar metadata unserialization on unsafe PHP versions (#12946)
  • JSON error sanitization — JSON parse errors in HTTP responses are sanitized to avoid leaking response body data (#12959)

New Features

  • EOL warnings — The self-update command now outputs a warning when using a soon-to-be end-of-life version (#12920)
  • Download retries — Added automatic retry when a GitHub codeload URL returns a 400 status (#12962)

Bug Fixes

  • Audit output — The audit command now correctly outputs results to stdout instead of stderr (#12904)
  • Backspace characters — Fixed extraneous backspace characters being output to non-decorated output streams (#12925)
  • Advisory blocking — Fixed security advisory blocking causing issues when xdebug is enabled (#12935)
  • Provider packages — Fixed provider packages hiding suggestions for the package they provide themselves (#12933)

Full changelog available on GitHub. Upgrade with composer self-update.

What is New?

By continuing to use the site, you agree to the use of cookies.