Bump composer/composer from 2.1.14 to 2.2.0

[dependabot]

Bumps composer/composer from 2.1.14 to 2.2.0.

Release notes

Sourced from composer/composer's releases.

2.2.0

Read the Composer 2.2 Release Announcement for more details on the release highlights.

Complete Changelog

• Bumped composer-runtime-api and composer-plugin-api to 2.2.0
• UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
• Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
• Added a global $_composer_autoload_path variable containing the path to autoload.php for binaries (#10137)
• Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
• Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
• Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
• Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
• Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
• Added a --source flag to config command to show where config values are loaded from (#10129)
• Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
• Added retry behavior on certain http status and curl error codes (#10162)
• Added abandoned flag display in search command output
• Added support for --ignore-platform-reqs in outdated command (#10293)
• Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
• Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
• Added support for using dev-main as the default path repo package version if no VCS info is available (#10372)
• Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#10371)
• Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
• Fixed unlocking of replacers when a replaced package is unlocked (#10280)
• Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
• Fixed handling of recursive package links (e.g. requiring or replacing oneself)
• Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
• Fixed archive command to produce archives with files sorted by name (#10274)
• Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
• Fixed self-update failing in some edge cases due to loading plugins (#10371)
• Fixed display of conflicts showing the wrong package name in some conditions (#10355)
• Fixed some error reporting issues (#10283, #10339)

2.2.0-RC1

Composer 2.2 will be LTS

Read more about the LTS plan and PHP version support in the upcoming Composer 2.3 if you're using a legacy PHP version.

Try it out now and get ready for the upcoming stable release

• Use composer self-update --preview to try the latest prerelease version.
• Use composer self-update --stable to go back to stable releases.

Changelog

• Bumped composer-runtime-api and composer-plugin-api to 2.2.0
• UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
• Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
• Added a global $_composer_autoload_path variable containing the path to autoload.php for binaries (#10137)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.2.0] 2021-12-22

• Added support for using dev-main as the default path repo package version if no VCS info is available (#10372)
• Added --no-scripts as a globally supported flag to all Composer commands to disable scripts execution (#10371)
• Fixed self-update failing in some edge cases due to loading plugins (#10371)
• Fixed display of conflicts showing the wrong package name in some conditions (#10355)

[2.2.0-RC1] 2021-12-08

• Bumped composer-runtime-api and composer-plugin-api to 2.2.0
• UX Change: Added allow-plugins config value to enhance security against runtime execution, this will prompt you the first time you use a plugin and may hang pipelines if they aren't using --no-interaction (-n) as they should (#10314)
• Added an optimization pass to reduce the amount of redundant inspected during resolution, drastically improving memory and CPU usage (#9261, #9620)
• Added a global $_composer_autoload_path variable containing the path to autoload.php for binaries (#10137)
• Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
• Added support for ignoring the upper bound of platform requirements using "name+" notation e.g. using --ignore-platform-req=php+ would allow installing a package requiring php: 8.0.* on PHP 8.1, but not on PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
• Added support for setting platform packages to false in config.platform to disable/hide them (#10308)
• Added use-parent-dir option to configure the prompt for using composer.json in upper directory when none is present in current dir (#10307)
• Added composer platform package which is always the exact version of Composer running unlike composer-*-api packages (#10313)
• Added a --source flag to config command to show where config values are loaded from (#10129)
• Added support for files autoloaders in the runtime scripts/plugins contexts (#10065)
• Added retry behavior on certain http status and curl error codes (#10162)
• Added abandoned flag display in search command output
• Added support for --ignore-platform-reqs in outdated command (#10293)
• Added --only-vendor (-O) flag to search command to search (and return) vendor names (#10336)
• Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
• Fixed archive command to behave more like git archive, gitignore/hgignore are not taken into account anymore, and gitattributes support was improved (#10309)
• Fixed unlocking of replacers when a replaced package is unlocked (#10280)
• Fixed auto-unlocked path repo packages also unlocking their transitive deps when -w/-W is used (#10157)
• Fixed handling of recursive package links (e.g. requiring or replacing oneself)
• Fixed env var reads to check $_SERVER and $_ENV before getenv for broader ecosystem compatibility (#10218)
• Fixed archive command to produce archives with files sorted by name (#10274)
• Fixed VcsRepository issues where server failure could cause missing tags/branches (#10319)
• Fixed some error reporting issues (#10283, #10339)

Commits

• e174a4c Release 2.2.0
• 613980b Update baseline
• f0060b7 Use web URLs for Gitlab support metadata (#10377)
• 54123e4 Fix autoloader compatibility with older releases of laminas/laminas-zendframe...
• 756c51d Update changelog
• 188b692 Add test verifying only plugin deps are autoloaded (#10374)
• 71ab70d Disable files autoloading for scripts to avoid untrusted code execution at ru...
• 8f1b3d2 Add --no-scripts to all commands and disable plugins/scripts when running sel...
• 24eac88 Switch the default version in path repo packages to dev-main and add a dev-ma...
• 95e41ae Fix phpstan
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🏰 Composer Production Dependency changes 🏰

Prod Packages	Operation	Base	Target	Link
composer/composer	Upgraded	2.1.14	2.2.0	Compare
composer/pcre	New	-	1.0.0	Compare
composer/xdebug-handler	Upgraded	2.0.2	2.0.3	Compare
seld/phar-utils	Upgraded	1.1.2	1.2.0	Compare