[Security] Bump composer/composer from 2.0.9 to 2.1.5

[dependabot-preview]

Bumps composer/composer from 2.0.9 to 2.1.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Missing argument delimiter can lead to command execution via VCS repository URLs or source download URLs on systems with Mercurial

Affected versions: >=2.0.0-alpha1, <2.0.13; <1.10.22

Release notes

Sourced from composer/composer's releases.

2.1.5

• Fixed create-project creating a php: directory in the directory it was executed in (#10020, #10021)
• Fixed curl downloader to respect default_socket_timeout if it is bigger than our default 300s (#10018)

2.1.4

• Fixed PHP 8.1 deprecation warnings (#10008)
• Fixed support for working within UNC/WSL paths on Windows (#9993)
• Fixed 7-zip support to also be looked up on Linux/macOS as 7z or 7zz (#9951)
• Fixed repositories' only/exclude properties to avoid matching names as sub-strings of full package names (#10001)
• Fixed open_basedir regression from #9855
• Fixed schema errors being reported incorrectly in some conditions (#9986)
• Fixed archive command not working with async archive extraction
• Fixed init command being able to generate an invalid composer.json (#9986)

2.1.3

• Add "symlink" option for "bin-compat" config to force symlinking even on WSL/Windows (#9959)
• Fixed source binaries not being made executable when symlinks cannot be used (#9961)
• Fixed more deletion edge cases (#9955, #9956)
• Fixed dump-autoload command not dispatching scripts anymore, regressed in 2.1.2 (#9954)

2.1.2

• Added --dev to dump-autoload command to allow force-dumping dev autoload rules even if dev requirements are not present (#9946)
• Fixed --no-scripts disabling events for plugins too instead of only disabling script handlers, using --no-plugins is the way to disable plugins (#9942)
• Fixed handling of deletions during package installs on some filesystems (#9945, #9947)
• Fixed undefined array access when using @php <absolute path> in a script handler (#9943)
• Fixed usage of InstalledVersions when loaded from composer/composer installed as a dependency and runtime Composer is v1 (#9937)

2.1.1

• Fixed regression in autoload generation when --no-scripts is used (#9935)
• Fixed outdated color legend to have the right color in the right place (#9939)
• Fixed PCRE bug causing a previously valid pattern to fail to match (#9941)
• Fixed JsonFile::validateSchema regression when used as a library to validate custom schema files (#9938)

2.1.0

• Bumped composer-runtime-api and composer-plugin-api to 2.1.0
• UX Change: The default install method for packages is now always dist/zip, even for dev packages, added --prefer-install=auto if you want the old behavior (#9603)
• UX Change: Packages from path repositories which are symlinked in the vendor dir will always be updated in partial updates to avoid mistakes when the original composer.json changes but the symlinked package is not explicitly updated (#9765)
• Added reinstall command that takes one or more package names, including wildcard (*) support, and removes then reinstalls them in the exact same version they had (#9915)
• Added support for parallel package installs on Windows via 7-Zip if it is installed (#9875)
• Added detection of invalid composer.lock files that do not fullfil the composer.json requirements to validate command (#9899)
• Added InstalledVersions::getInstalledPackagesByType(string $type) to retrieve installed plugins for example, read more (#9699)
• Added InstalledVersions::getInstalledPath(string $packageName) to retrieve the install path of a given package, read more (#9699)
• Added flag to InstalledVersions::isInstalled() to allow excluding dev requirements from that check (#9682)
• Added support for PHP 8.1 enums in autoloader / classmap generation (#9670)
• Added support for using @php binary-name foo in scripts to refer to a binary without using its full path, but forcing to use the same PHP version as Composer used (#9726)
• Added --format=json support to the fund command (#9678)
• Added --format=json support to the search command (#9747)
• Added COMPOSER_DEV_MODE env var definition within the run-script command for compatibility (#9793)
• Added async uninstall of packages (#9618)
• Added color legend to outdated and show --latest commands (#9716)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.1.5] 2021-07-23

• Fixed create-project creating a php: directory in the directory it was executed in (#10020, #10021)
• Fixed curl downloader to respect default_socket_timeout if it is bigger than our default 300s (#10018)

[2.1.4] 2021-07-22

• Fixed PHP 8.1 deprecation warnings (#10008)
• Fixed support for working within UNC/WSL paths on Windows (#9993)
• Fixed 7-zip support to also be looked up on Linux/macOS as 7z or 7zz (#9951)
• Fixed repositories' only/exclude properties to avoid matching names as sub-strings of full package names (#10001)
• Fixed open_basedir regression from #9855
• Fixed schema errors being reported incorrectly in some conditions (#9986)
• Fixed archive command not working with async archive extraction
• Fixed init command being able to generate an invalid composer.json (#9986)

[2.1.3] 2021-06-09

• Add "symlink" option for "bin-compat" config to force symlinking even on WSL/Windows (#9959)
• Fixed source binaries not being made executable when symlinks cannot be used (#9961)
• Fixed more deletion edge cases (#9955, #9956)
• Fixed dump-autoload command not dispatching scripts anymore, regressed in 2.1.2 (#9954)

[2.1.2] 2021-06-07

• Added --dev to dump-autoload command to allow force-dumping dev autoload rules even if dev requirements are not present (#9946)
• Fixed --no-scripts disabling events for plugins too instead of only disabling script handlers, using --no-plugins is the way to disable plugins (#9942)
• Fixed handling of deletions during package installs on some filesystems (#9945, #9947)
• Fixed undefined array access when using "@​php " in a script handler (#9943)
• Fixed usage of InstalledVersions when loaded from composer/composer installed as a dependency and runtime Composer is v1 (#9937)

[2.1.1] 2021-06-04

• Fixed regression in autoload generation when --no-scripts is used (#9935)
• Fixed outdated color legend to have the right color in the right place (#9939)
• Fixed PCRE bug causing a previously valid pattern to fail to match (#9941)
• Fixed JsonFile::validateSchema regression when used as a library to validate custom schema files (#9938)

[2.1.0] 2021-06-03

• Fixed PHP 8.1 deprecation warning (#9932)
• Fixed env var handling when variables_order includes E and symfony/console 3.3.15+ is in use (#9930)

[2.1.0-RC1] 2021-06-02

• Bumped composer-runtime-api and composer-plugin-api to 2.1.0
• UX Change: The default install method for packages is now always dist/zip, even for dev packages, added --prefer-install=auto if you want the old behavior (#9603)
• UX Change: Packages from path repositories which are symlinked in the vendor dir will always be updated in partial updates to avoid mistakes when the original composer.json changes but the symlinked package is not explicitly updated (#9765)
• Added reinstall command that takes one or more package names, including wildcard (*) support, and removes then reinstalls them in the exact same version they had (#9915)
• Added support for parallel package installs on Windows via 7-Zip if it is installed (#9875)

... (truncated)

Commits

• ac67990 Release 2.1.5
• bbe3769 Update changelog
• deb4c48 Avoid using an invalid path for InstalledFilesystemRepo in create-project and...
• 1f44010 Allow default_socket_timeout to extend the curl timeout if it is longer than ...
• e07d2a7 Respect parent setting, handling exceptions (#10017)
• a5ee226 Update changelog
• 2f83338 Fix hopefully last php 8.1 deprecation warnings
• 24f5e54 Fix only/exclude to avoid matching names as sub-strings of full package names...
• 29a52ff Register ErrorHandler early to catch deprecation notices while the Applicatio...
• 5413fae Merge pull request #10016 from tdutrion/patch-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codecov-commenter]

Codecov Report

Merging #40 (0891f3c) into master (6124f60) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master      #40   +/-   ##
=========================================
  Coverage     78.09%   78.09%           
  Complexity      133      133           
=========================================
  Files            21       21           
  Lines           452      452           
=========================================
  Hits            353      353           
  Misses           99       99           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6124f60...0891f3c. Read the comment docs.