Version 2.9.2 - 2025-11-19

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

Version 2.9.1 - 2025-11-13

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

Version 2.9.0 - 2025-11-13

• Fixed a couple minor issues with --bump-after-update (#12598)
• Various docs fixes

Version 2.9.0-RC1 - 2025-11-07

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)
• Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
• Added repository command to add, remove, or update repositories more easily (#12388)
• Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
• Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
• Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
• Added support for forgejo / codeberg.org repositories (#12307)
• Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
• Added support for HTTP/3 if libcurl supports it (#12363)
• Added support for custom header authentication (#12372)
• Added support for client TLS certificates (#12406)
• Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
• Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
• Added support for running init without interaction (#12546)
• Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
• Added support for Windows Sudo to elevate during self-update (#12543)
• Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
• Fixed display of dist refs for dev versions when source is missing (#12562)
• Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
• Fixed compatibility issues with Symfony 7
• Fixed issues with PHP preloading being hard to debug (#12528)