File php-composer2.spec of Package php-composer

#
# spec file for package php-composer2
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

Name:           php-composer2
Version:        2.2.3
Release:        150400.3.3.1
Summary:        Dependency Management for PHP
License:        MIT
Group:          Development/Libraries/Other
URL:            https://getcomposer.org/
Source0:        https://getcomposer.org/download/%{version}/composer.phar
# CVE-2022-24828 [bsc#1198494], Code injection vulnerability
Patch0:         php-composer2-CVE-2022-24828.patch
Requires:       php-curl
Requires:       php-json
Requires:       php-mbstring
Requires:       php-openssl
Requires:       php-phar
Requires:       php-zip
Requires:       php-zlib
Requires(post): update-alternatives
Requires(postun):update-alternatives
Provides:       composer = %{version}
Provides:       php-composer = %{version}
Provides:       php5-composer = %{version}
Provides:       php7-composer = %{version}
Obsoletes:      php-composer < %{version}
BuildArch:      noarch
%if 0%{?sles_version} >= 10
BuildRequires:  php53 >= 5.3.2
Requires:       php53 >= 5.3.2
%else
BuildRequires:  php >= 5.3.2
Requires:       php >= 5.3.2
%endif
BuildRequires:  php8-phar

%description
Composer is a dependency manager tracking local dependencies of your projects
and libraries.

%prep
%setup -q -c -T
mkdir SRC && cd SRC
cp %{SOURCE0} .
phar extract -f composer.phar
# 1. patch files
patch -p1 < %{PATCH0}
echo 'phar.readonly=Off' > ../php.ini
# 2. add patched files into the phar
PHPRC=../php.ini phar add -f composer.phar \
  src/Composer/Repository/Vcs/GitDriver.php \
  src/Composer/Repository/Vcs/HgDriver.php
cd ..

%build

%install
# Install compiled phar file
install -d -m 0750 %{buildroot}%{_bindir}
install -m 0755 SRC/composer.phar %{buildroot}%{_bindir}/composer2
# Create a dummy target for /etc/alternatives/composer
mkdir -p %{buildroot}%{_sysconfdir}/alternatives
ln -s -f %{_sysconfdir}/alternatives/composer %{buildroot}%{_bindir}/composer

%post
update-alternatives --install \
   %{_bindir}/composer composer %{_bindir}/composer2 2

%postun
if [ ! -f %{_bindir}/composer2 ] ; then
   update-alternatives --remove composer %{_bindir}/composer2
fi

%files
%license SRC/LICENSE
%defattr(-,root,root,0755)
%{_bindir}/composer
%{_bindir}/composer2
%ghost %_sysconfdir/alternatives/composer

%changelog
* Wed Aug 24 2022 pgajdos@suse.com
- security update
- added patches
  fix CVE-2022-24828 [bsc#1198494], Code injection vulnerability
  + php-composer2-CVE-2022-24828.patch
* Thu Jan  6 2022 pgajdos@suse.com
- version update to 2.2.3
  2.2.3 2021-12-31
  * Fixed issue with PHPUnit and process isolation now including PHPUnit
    <6.5 (#10387)
  * Fixed interoperability issue with laminas/laminas-zendframework-bridge
    and Composer 2.2 (#10401)
  * Fixed binary proxies for shell scripts to work correctly when they are
    symlinked (jakzal/phpqa#336)
  * Fixed overly greedy pool optimization in cases where a locked package
    is not required by anything anymore in a partial update (#10405)
  2.2.2 2021-12-29
  * Added COMPOSER_BIN_DIR env var and _composer_bin_dir global containing
    the path to the bin-dir for binaries. Packages relying on finding the
    bin dir with $BASH_SOURCES[0] will need to update their binaries (#10402)
  * Fixed issue when new binary proxies are combined with PHPUnit and process
    isolation (#10387)
  * Fixed deprecation warnings when using Symfony 5.4+ and requiring
    composer/composer itself (#10404)
  * Fixed UX of plugin warnings (#10381)
  2.2.1 2021-12-22
  * Fixed plugin autoloading including files autoload rules from the root
    package (#10382)
  * Fixed issue parsing php files with unterminated comments found inside
    backticks (#10385)
  2.2.0 2021-12-22
  * Added support for using dev-main as the default path repo package
    version if no VCS info is available (#10372)
  * Added --no-scripts as a globally supported flag to all Composer commands
    to disable scripts execution (#10371)
  * Fixed self-update failing in some edge cases due to loading plugins
    (#10371)
  * Fixed display of conflicts showing the wrong package name in some
    conditions (#10355)
  2.2.0-RC1 2021-12-08
  * Bumped composer-runtime-api and composer-plugin-api to 2.2.0
  * UX Change: Added allow-plugins config value to enhance security against
    runtime execution, this will prompt you the first time you use a plugin
    and may hang pipelines if they aren't using --no-interaction (-n) as they
    should (#10314)
  * Added an optimization pass to reduce the amount of redundant inspected
    during resolution, drastically improving memory and CPU usage (#9261,
    [#9620])
  * Added a global $_composer_autoload_path variable containing the path
    to autoload.php for binaries (#10137)
  * Added wildcard support to --ignore-platform-req (e.g. ext-*) (#10083)
  * Added support for ignoring the upper bound of platform requirements
    using "name+" notation e.g. using --ignore-platform-req=php+ would
    allow installing a package requiring php: 8.0.* on PHP 8.1, but not on
    PHP 7.4. Useful for CI builds of upcoming PHP versions (#10318)
  * Added support for setting platform packages to false in
    config.platform to disable/hide them (#10308)
  * Added use-parent-dir option to configure the prompt for using
    composer.json in upper directory when none is present in current dir
    (#10307)
  * Added composer platform package which is always the exact version of
    Composer running unlike composer-*-api packages (#10313)
  * Added a --source flag to config command to show where config values
    are loaded from (#10129)
  * Added support for files autoloaders in the runtime scripts/plugins
    contexts (#10065)
  * Added retry behavior on certain http status and curl error codes (#10162)
  * Added abandoned flag display in search command output
  * Added support for --ignore-platform-reqs in outdated command (#10293)
  * Added --only-vendor (-O) flag to search command to search (and return)
    vendor names (#10336)
  * Added COMPOSER_NO_DEV environment variable to set the --no-dev flag (#10262)
  * Fixed archive command to behave more like git archive, gitignore/hgignore
    are not taken into account anymore, and gitattributes support was improved
    (#10309)
  * Fixed unlocking of replacers when a replaced package is unlocked (#10280)
  * Fixed auto-unlocked path repo packages also unlocking their transitive
    deps when -w/-W is used (#10157)
  * Fixed handling of recursive package links (e.g. requiring or replacing
    oneself)
  * Fixed env var reads to check $_SERVER and $_ENV before getenv for broader
    ecosystem compatibility (#10218)
  * Fixed archive command to produce archives with files sorted by name (#10274)
  * Fixed VcsRepository issues where server failure could cause missing
    tags/branches (#10319)
  * Fixed some error reporting issues (#10283, #10339)
* Sat Dec 11 2021 i@guoyunhe.me
- Use update-alternatives
- Update to 2.1.14
  * Fixed invalid release build (2.1.13 was deleted as invalid)
  * Removed symfony/console ^6 support as we cannot be compatible
    until Composer 2.3.0 is released. If you have issues with
    Composer required as a dependency + Symfony make sure you stay
    on Symfony 5.4 for now. (#10321)
* Wed Nov 10 2021 i@guoyunhe.me
- Obsoletes php-composer (version 1.x)
- Update to 2.1.12
  * Fixed issues in proxied binary files relying on __FILE__ / __DIR__
    on php <8 (#10261)
  * Fixed 9999999-dev being shown in some cases by the show command (#10260)
  * Fixed GitHub Actions output escaping regression on PHP 8.1 (#10250)
- Update to 2.1.11
  * Fixed issues in proxied binary files when using declare() on php <8 (#10249)
  * Fixed GitHub Actions output escaping issues (#10243)
- Update to 2.1.10
  * Added type annotations to all classes, which may have an effect on
    CI/static analysis for people using Composer as a dependency (#10159)
  * Fixed CurlDownloader requesting gzip encoding even when no gzip
    support is present (#10153)
  * Fixed regression in 2.1.6 where the help command was not working for
    plugin commands (#10147)
  * Fixed warning showing when an invalid cache dir is configured but
    unused (#10125)
  * Fixed require command reverting changes even though dependency
    resolution succeeded when something fails in scripts for example (#10118)
  * Fixed require not finding the right package version when some newly
    required extension is missing from the system (#10167)
  * Fixed proxied binary file issues, now using output buffering (e1dbd65)
  * Fixed and improved error reporting in several edge cases (#9804,
    [#10136], #10163, #10224, #10209)
  * Fixed some more Windows CLI parameter escaping edge cases
- Update to 2.1.9
  * Security: Fixed command injection vulnerability on Windows
    (GHSA-frqg-7g38-6gcf / CVE-2021-41116)
  * Fixed classmap parsing with a new class parser which does not rely
    on regexes anymore (#10107)
  * Fixed inline git credentials showing up in output in some conditions
    (#10115)
  * Fixed support for running updates while offline as long as the
    cache contains enough information (#10116)
  * Fixed show --all foo/bar which as of 2.0.0 was not showing all
    versions anymore but only the installed one (#10095)
  * Fixed VCS repos ignoring some versions silently when the API rate
    limit is reached (#10132)
  * Fixed CA bundle to remove the expired Let's Encrypt root CA
* Fri Sep 17 2021 pgajdos@suse.com
- requires php-mbstring [bnc#1187416]
* Wed Sep 15 2021 jweberhofer@weberhofer.at
- Update to 2.1.8
  Fixed regression in 2.1.7 when parsing classmaps in files containing
  invalid Unicode (gh#composer/composer#10102)
- Update to 2.1.7
  * Added many type annotations internally, which may have an effect on
    CI/static analysis for people using Composer as a dependency. This work will
    continue in following releases
  * Fixed regression in 2.1.6 when parsing classmaps with empty heredocs
    (gh#composer/composer#10067)
  * Fixed regression in 2.1.6 where list command was not showing plugin
    commands (gh#composer/composer#10075)
  * Fixed issue handling package updates where the package type changed
    (gh#composer/composer#10076)
  * Fixed docker being detected as WSL when run inside WSL
    (gh#composer/composer#10094)
- Update to 2.1.6
  * Updated internal PHAR signatures to be SHA512 instead of SHA1
  * Fixed uncaught exception handler regression (gh#composer/composer#10022)
  * Fixed more PHP 8.1 deprecation warnings
    (gh#composer/composer#10036, gh#composer/composer#10038,
    gh#composer/composer#10061)
  * Fixed corrupted zips in the cache from blocking installs until a cache
    clear, the bad archives are now deleted automatically on first failure
    (gh#composer/composer#10028)
  * Fixed URL sanitizer handling of new github tokens (gh#composer/composer#10048)
  * Fixed issue finding classes with very long heredocs in classmap
    autoload (gh#composer/composer#10050)
  * Fixed proc_open being required for simple installs from zip, as well as
    diagnose (gh#composer/composer#9253)
  * Fixed path repository bug causing symlinks to be left behind after a
    package is uninstalled (gh#composer/composer#10023)
  * Fixed issue in 7-zip support on windows with certain archives
    (gh#composer/composer#10058)
  * Fixed bootstrapping process to avoid loading the composer.json and
    plugins until necessary, speeding things up slightly (gh#composer/composer#10064)
  * Fixed lib-openssl detection on FreeBSD (gh#composer/composer#10046)
  * Fixed support for ircs:// protocol for support.irc composer.json entries
* Tue Jul 27 2021 kkaempf@suse.com
- Require php-curl as Composer strongly recommends this.
* Tue Jul 27 2021 kkaempf@suse.com
- Update to 2.1.5
  Mostly bugfixes. See https://github.com/composer/composer/releases
  for details.
* Sun Oct 25 2020 i@guoyunhe.me
- Version 2.0.2
  * Fixed regression handling composer show -s in projects where no
    version can be guessed from VCS
  * Fixed regression handling partial updates/require when a lock
    file was missing
  * Fixed interop issue with plugins that need to update dist URLs
    of packages
- Version 2.0.1
  * Fixed crash on PHP8
- Version 2.0.0
  * Breaking: This is a major release and while we tried to keep things
    compatible for most users, you might want to have a look at the
    UPGRADE guides
  * Many CPU and memory performance improvements
  * The update command is now much more deterministic as it does not
    take the already installed packages into account
  * Package installation now performs all network operations first
    before doing any changes on disk, to reduce the chances of ending
    up with a partially updated vendor dir
  * Partial updates and require/remove are now much faster as they
    only load the metadata required for the updated packages
  * Added a platform-check step when vendor/autoload.php gets initialized
    which checks the current PHP version/extensions match what is
    expected and fails hard otherwise. Can be disabled with the
    platform-check config option
  * Added a Composer\InstalledVersions class which is autoloaded in
    every project and lets you check which packages/versions are
    present at runtime
  * Added a composer-runtime-api virtual package which you can require
    (as e.g. ^2.0) to ensure things like the InstalledVersions class
    above are present. It will effectively force people to use Composer
    2.x to install your project
  * Added support for parallel downloads of package metadata and zip
    files, this requires that the curl extension is present and we thus
    strongly recommend enabling curl
  * Added parallel installation of packages (requires OSX/Linux/WSL,
    and that unzip is present in PATH)
  * Added much clearer dependency resolution error reporting for common
    error cases
  * Added support for updating to a specific version with partial
    updates, as well as a --with flag to pass in temporary constraint
    overrides
  * Added automatic removal of packages which are not required anymore
    whenever an update is done, this will purge packages previously
    left over by partial updates and require/remove
  * Added support for TTY mode on Linux/OSX/WSL so that script handlers
    now run in interactive mode
  * Added only, exclude and canonical options to all repositories, see
    repository priorities for details
  * Added support for many new lib-* packages in the platform repository
    and improved version detection for some ext-* and lib-* packages
  * Added pre-operations-exec event to be fired before the packages get
    installed/upgraded/removed
  * Added pre-pool-create event to be fired before the package pool for
    the dependency solver is created, which lets you modify the list
    of packages going in
  * Added post-file-download event to be fired after package dist files
    are downloaded, which lets you do additional checks on the files
  * Added --locked flag to show command to see the packages from the
    composer.lock file
  * Added --unused flag to remove command to make sure any packages
    which are not needed anymore get removed
  * Added --dry-run flag to require and remove commands
  * Added --no-install flag to update, require and remove commands to
    disable the install step and only do the update step (composer.lock
    file update)
  * Added an --ask flag to create-project command to make Composer prompt
    for the install dir name, useful for project install instructions
  * Added support for multiple --repository flags being passed into
    the create-project command, only useful in combination with
  - -add-repository to persist them to composer.json
  * Added --with-dependencies and --with-all-dependencies flag aliases
    to require and remove commands for consistency with update
  * Added shorthand aliases -w for --with-dependencies and -W for
  - -with-all-dependencies on update/require/remove commands
  * Added more info to vendor/composer/installed.json, a dev key stores
    whether dev requirements were installed, and every package now has
    an install-path key with its install location
  * Added COMPOSER_DISABLE_NETWORK which if set makes Composer do its
    best to run offline. This can be useful when you have poor
    connectivity or to do benchmarking without network jitter
  * Added COMPOSER_DEBUG_EVENTS=1 env var support for plugin authors
    to figure out which events are triggered when
  * Added setCustomCacheKey to PreFileDownloadEvent and fixed a cache
    bug for integrations changing the processed url of package archives
  * Added Composer\Util\SyncHelper for plugin authors to deal with
    async Promises more easily
  * Added $composer->getLoop()->getHttpDownloader() to get access to
    the main HttpDownloader instance in plugins
  * Added --json and --merge flags to config command to allow editing
    complex extra.* values by using json as input
  * Added confirmation prompt when running Composer as superuser in
    interactive mode
  * Added --no-check-version to validate command to remove the warning
    in case the version is defined
  * Added --ignore-platform-req (without s) to all commands supporting
  - -ignore-platform-reqs, which accepts a package name so you can
    ignore only specific platform requirements
  * Added --no-dev support to show and outdated commands to skip dev
    requirements
  * Added --format=summary flag to license command
  * Added a cache-read-only config option to make the cache usable in
    read only mode for containers and such
  * Added support for wildcards (*) in classmap autoloader paths
  * Added support for configuring GitLab deploy tokens in addition to
    private tokens, see gitlab-token
  * Added support for package version guessing for require and init
    command to take all platform packages into account, not just php
    version
  * Added support for tar in artifact repositories
  * Added a non-zero exit code (2) and warning to remove command when
    a package to be removed could not be removed
  * Added --apcu-autoloader-prefix (or --apcu-prefix for dump-autoload
    command) flag to let people use apcu autoloading in a deterministic
    output way if that is needed
  * Fixed package ordering when autoloading and especially when loading
    plugins, to make sure dependencies are loaded before their dependents
  * Fixed suggest output being very spammy, it now is only one line
    long and shows more rarely
  * Fixed conflict rules like e.g. >=5 from matching dev-master, as
    it is not normalized to 9999999-dev internally anymore
  * Fixed solver bug resulting in endless loops in some cases
  * Lots of minor bug fixes and improvements