Bump the composer group across 1 directory with 3 updates

[dependabot]

Bumps the composer group with 2 updates in the / directory: composer/composer and symfony/http-foundation.

Updates composer/composer from 2.8.11 to 2.9.6

Release notes

Sourced from composer/composer's releases.

2.9.6

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

2.9.5

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

Full Changelog: composer/composer@2.9.4...2.9.5

2.9.4

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

Full Changelog: composer/composer@2.9.3...2.9.4

2.9.3

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

Full Changelog: composer/composer@2.9.2...2.9.3

2.9.2

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.9.6] 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

[2.9.5] 2026-01-29

• Added support for new pie download-url-methods (#12727)
• Fixed detection of 7z when installed as 7za on some linux systems (#12731)
• Fixed warning because of the symfony/process CVE, 2.9.4 had a workaround already

[2.9.4] 2026-01-22

• Added active plugins to the diagnose command output (#12706)
• Fixed HTTP/3 causing issues with proxies (#12699)
• Fixed show command regression with long descriptions containing unicode characters (#12704)
• Fixed regression handling invalid unicode sequences in output (#12707)
• Fixed git rev-list usages to support older pre-2.33 git versions (#12705)
• Fixed issue handling paths with = in them on Windows (#12726)

[2.9.3] 2025-12-30

• Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
• Fixed COMPOSER_NO_SECURITY_BLOCKING env var not being respected for updates done via the install command, and added --no-security-blocking flag to install as well (#12677)
• Fixed update --lock / update mirrors not working when locked packages contain vulnerabilities (#12645)
• Fixed client-certificate authentication implementation (#12667)
• Fixed php-ext schema not being validated in ValidatingArrayLoader (#12694)
• Fixed crash when --bump-after-update is used and the lock file is disabled (#12660)
• Fixed support for SecureTransport + LibreSSL on macOS (#12615)
• Fixed display of reasons for why advisories are ignored (#12668)
• Fixed compatibility issues when git has log.showSignature enabled (#12666)
• Fixed curl downloader not retrying when a timeout (err 28) failure occurs (#12662)
• Fixed EventDispatcher requiring a full Composer instance to function (#12629)

[2.9.2] 2025-11-19

• Added new --no-security-blocking flag to disable/configure security blocking (#12617)
• Added a way to set audit > ignore to act only on audits or only on security blocking (#12618, #12612)
• Fixed config command not being able to set the new audit settings (#12609)
• Fixed handling audit.ignore to support CVE ids while doing security blocking, but advisory IDs are still preferred for performance reasons (#12624)
• Fixed partial updates failing when another package in the lock file has a known security advisory (#12626)

... (truncated)

Commits

• 9afc32c Release 2.9.6
• e00073c Fix some perforce type issues
• 4fcc13d Convert perforce util to use array process args to avoid injections
• fd82721 Update changelog
• 15f2541 Fix --no-plugins handling regression in #12758, fixes #12789
• 4f02616 Merge commit from fork
• 91f0770 Merge commit from fork
• d836b90 Fix fossil driver identifier validation for getFileContent
• 028a251 Fix tests
• 5e08c76 Fix fossil update call when calling it with valid branch names like --dry-run...
• Additional commits viewable in compare view

Updates symfony/http-foundation from 7.3.3 to 7.4.8

Release notes

Sourced from symfony/http-foundation's releases.

v7.4.8

Changelog (symfony/http-foundation@v7.4.7...v7.4.8)

• no significant changes

v7.4.7

Changelog (symfony/http-foundation@v7.4.6...v7.4.7)

• bug #63603 Fix session cookie_lifetime not applied in mock session storage (@​nicolas-grekas)

v7.4.6

Changelog (symfony/http-foundation@v7.4.5...v7.4.6)

• bug #63448 Handle empty session data in updateTimestamp() to fix compat with PHP 8.6 (@​nicolas-grekas)
• bug #63319 BinaryFileResponse: always return 206 if Range is valid (@​Jimbolino)
• bug #63262 Reject invalid paths (@​nicolas-grekas)
• bug #54304 When calling UploadedFile::getErrorMessage() to a file which has no error and is uploaded successfully, it should not return an error (@​ArmCyber)
• bug #63230 fix engine declaration on mysql pdo table creations (@​tandev)

v7.4.5

Changelog (symfony/http-foundation@v7.4.4...v7.4.5)

• bug #63137 Fix PdoSessionHandler charset-collation mismatch with the Doctrine DBAL (@​samy-mahmoudi)

v7.4.4

Changelog (symfony/http-foundation@v7.4.3...v7.4.4)

• bug #63012 Fix double-prefixing of session keys when using redis/memcached (@​nicolas-grekas)

v7.4.3

Changelog (symfony/http-foundation@v7.4.2...v7.4.3)

• bug symfony/symfony#62799 [Cache][HttpFoundation] Fix VARBINARY columns on sqlsrv (@​nicolas-grekas)

v7.4.1

Changelog (symfony/http-foundation@v7.4.0...v7.4.1)

• bug symfony/symfony#62663 [HttpFoundation] Improve logic in Request::createFromGlobals() (@​nicolas-grekas)

v7.4.0

Changelog (symfony/http-foundation@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC1

Changelog (symfony/http-foundation@v7.4.0-BETA2...v7.4.0-RC1)

• bug symfony/symfony#62287 [HttpFoundation] Fix AcceptHeader overwrites items with different parameters (@​yoeunes)
• bug symfony/symfony#62324 [HttpFoundation] Fix parsing hosts and schemes in URLs (@​nicolas-grekas)

... (truncated)

Changelog

Sourced from symfony/http-foundation's changelog.

CHANGELOG

8.1

• Add BinaryFileResponse::shouldDeleteFileAfterSend()
• Deprecate setting public properties of Request and Response objects directly; use setters or constructor arguments instead
• Add SessionHasFlashMessage test constraint

8.0

• Drop HTTP method override support for methods GET, HEAD, CONNECT and TRACE
• Add argument $subtypeFallback to Request::getFormat()
• Remove the following deprecated session options from NativeSessionStorage: referer_check, use_only_cookies, use_trans_sid, sid_length, sid_bits_per_character, trans_sid_hosts, trans_sid_tags
• Trigger PHP warning when using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Add arguments $v4Bytes and $v6Bytes to IpUtils::anonymize()
• Add argument $partitioned to ResponseHeaderBag::clearCookie()
• Add argument $expiration to UriSigner::sign()
• Remove Request::get(), use properties ->attributes, query or request directly instead
• Remove accepting null $format argument to Request::setFormat()

7.4

• Add #[WithHttpStatus] to define status codes: 404 for SignedUriException and 403 for ExpiredSignedUriException
• Add support for the QUERY HTTP method
• Add support for structured MIME suffix
• Add Request::set/getAllowedHttpMethodOverride() to list which HTTP methods can be overridden
• Deprecate using Request::sendHeaders() after headers have already been sent; use a StreamedResponse instead
• Deprecate method Request::get(), use properties ->attributes, query or request directly instead
• Make Request::createFromGlobals() parse the body of PUT, DELETE, PATCH and QUERY requests
• Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE; it will be ignored in Symfony 8.0
• Deprecate accepting null $format argument to Request::setFormat()

7.3

• Add support for iterable of string in StreamedResponse
• Add EventStreamResponse and ServerEvent classes to streamline server event streaming
• Add support for valkey: / valkeys: schemes for sessions
• Request::getPreferredLanguage() now favors a more preferred language above exactly matching a locale
• Allow UriSigner to use a ClockInterface
• Add UriSigner::verify()

7.2

• Add optional $requests parameter to RequestStack::__construct()

... (truncated)

Commits

• 9381209 Configure deprecation triggers
• f94b3e7 Merge branch '6.4' into 7.4
• cffffd0 [HttpFoundation] Fix session cookie_lifetime not applied in mock session storage
• fd97d5e Merge branch '6.4' into 7.4
• 5bb346d [HttpFoundation] Handle empty session data in updateTimestamp() to fix compat...
• 17de1a3 Merge branch '6.4' into 7.4
• 31b030e stop using with*() without expects()
• 36ba5c7 Merge branch '6.4' into 7.4
• 31e2a27 BinaryFileResponse: always return 206 if Range is valid
• 669ac23 Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/process from 7.3.3 to 7.4.8

Release notes

Sourced from symfony/process's releases.

v7.4.8

Changelog (symfony/process@v7.4.7...v7.4.8)

• bug #63611 Throw InvalidArgumentException when env block exceeds Windows limit (Nadim AL ABDOU)

v7.4.5

Changelog (symfony/process@v7.4.4...v7.4.5)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (nicolas-grekas)
• bug #63164 Fix escaping for MSYS on Windows (@​nicolas-grekas)

v7.4.4

Changelog (symfony/process@v7.4.3...v7.4.4)

• bug #63004 Ignore invalid env var names (@​nicolas-grekas)

v7.4.3

Changelog (symfony/process@v7.4.2...v7.4.3)

• bug symfony/symfony#62775 [Process] Fix dealing with broken stdin pipes (@​nicolas-grekas)

v7.4.0

Changelog (symfony/process@v7.4.0-RC3...v7.4.0)

• no significant changes

v7.4.0-RC1

Changelog (symfony/process@v7.4.0-BETA2...v7.4.0-RC1)

• no significant changes

v7.4.0-BETA1

Changelog (symfony/process@v7.3.4...v7.4.0-BETA1)

• no significant changes

v7.3.11

Changelog (symfony/process@v7.3.10...v7.3.11)

• security #cve-2026-24739 Fix escaping for MSYS on Windows (nicolas-grekas)
• bug #63164 Fix escaping for MSYS on Windows (@​nicolas-grekas)

v7.3.10

Changelog (symfony/process@v7.3.9...v7.3.10)

• bug #63004 Ignore invalid env var names (@​nicolas-grekas)

v7.3.9

Changelog (symfony/process@v7.3.8...v7.3.9)

... (truncated)

Commits

• 60f19cd Configure deprecation triggers
• 95b070e [Process] Throw InvalidArgumentException when env block exceeds Windows limit
• 608476f Merge branch '7.3' into 7.4
• 81fe4ea Merge branch '6.4' into 7.3
• c46e854 [Process] Fix escaping for MSYS on Windows
• 626f07a Merge branch '7.3' into 7.4
• 4424bc1 Merge branch '6.4' into 7.3
• c593135 [Process] Adjust Process mustRun method phpdoc
• f532042 Merge branch '7.3' into 7.4
• 6d13a93 Merge branch '6.4' into 7.3
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.