Version in base suite: 2.5.5-1 Base version: composer_2.5.5-1 Target version: composer_2.5.5-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/composer/composer_2.5.5-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/composer/composer_2.5.5-1+deb12u1.dsc autoload.php.tpl | 44 changelog | 9 clean | 2 control | 2 gbp.conf | 2 patches/0001-Use-homade-autoload-for-CLI.patch | 4 patches/0011-Only-include-installed-versions-class-when-plugins-a.patch | 25 patches/0012-Fix-type-error.patch | 22 patches/0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch | 57 + patches/0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch | 487 ++++++++++ patches/series | 4 rules | 27 12 files changed, 674 insertions(+), 11 deletions(-) diff -Nru composer-2.5.5/debian/autoload.php.tpl composer-2.5.5/debian/autoload.php.tpl --- composer-2.5.5/debian/autoload.php.tpl 1970-01-01 00:00:00.000000000 +0000 +++ composer-2.5.5/debian/autoload.php.tpl 2024-02-13 15:09:38.000000000 +0000 @@ -0,0 +1,44 @@ + Tue, 13 Feb 2024 16:09:38 +0100 + composer (2.5.5-1) unstable; urgency=medium [ Jordi Boggiano ] diff -Nru composer-2.5.5/debian/clean composer-2.5.5/debian/clean --- composer-2.5.5/debian/clean 2022-08-10 03:27:22.000000000 +0000 +++ composer-2.5.5/debian/clean 2024-02-13 15:09:38.000000000 +0000 @@ -1,5 +1,5 @@ .phpunit.result.cache -debian/autoload.php.tpl +build/ debian/autoload.tests.php.tpl src/Composer/autoload.php vendor/ diff -Nru composer-2.5.5/debian/control composer-2.5.5/debian/control --- composer-2.5.5/debian/control 2023-03-24 09:32:23.000000000 +0000 +++ composer-2.5.5/debian/control 2024-02-13 15:09:38.000000000 +0000 @@ -35,7 +35,7 @@ Standards-Version: 4.6.2 Homepage: https://getcomposer.org/ Vcs-Browser: https://salsa.debian.org/php-team/pear/composer -Vcs-Git: https://salsa.debian.org/php-team/pear/composer.git +Vcs-Git: https://salsa.debian.org/php-team/pear/composer.git -b debian/bookworm Rules-Requires-Root: no Package: composer diff -Nru composer-2.5.5/debian/gbp.conf composer-2.5.5/debian/gbp.conf --- composer-2.5.5/debian/gbp.conf 2022-08-10 03:27:22.000000000 +0000 +++ composer-2.5.5/debian/gbp.conf 2024-02-13 15:09:38.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bookworm filter = [ '.gitattributes' ] pristine-tar = True upstream-vcs-tag = %(version%~%-)s diff -Nru composer-2.5.5/debian/patches/0001-Use-homade-autoload-for-CLI.patch composer-2.5.5/debian/patches/0001-Use-homade-autoload-for-CLI.patch --- composer-2.5.5/debian/patches/0001-Use-homade-autoload-for-CLI.patch 2023-03-24 09:31:58.000000000 +0000 +++ composer-2.5.5/debian/patches/0001-Use-homade-autoload-for-CLI.patch 2024-02-13 15:09:38.000000000 +0000 @@ -8,7 +8,7 @@ 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/composer b/bin/composer -index 642714f..866df69 100755 +index 642714f..238e669 100755 --- a/bin/composer +++ b/bin/composer @@ -1,4 +1,4 @@ @@ -22,7 +22,7 @@ setlocale(LC_ALL, 'C'); -require __DIR__.'/../src/bootstrap.php'; -+require 'Composer/autoload.php'; ++require __DIR__ . '/../share/php/Composer/autoload.php'; use Composer\Console\Application; use Composer\XdebugHandler\XdebugHandler; diff -Nru composer-2.5.5/debian/patches/0011-Only-include-installed-versions-class-when-plugins-a.patch composer-2.5.5/debian/patches/0011-Only-include-installed-versions-class-when-plugins-a.patch --- composer-2.5.5/debian/patches/0011-Only-include-installed-versions-class-when-plugins-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ composer-2.5.5/debian/patches/0011-Only-include-installed-versions-class-when-plugins-a.patch 2024-02-13 15:09:38.000000000 +0000 @@ -0,0 +1,25 @@ +From: Jordi Boggiano +Date: Fri, 26 Jan 2024 17:11:16 +0100 +Subject: Only include installed versions class when plugins and scripts are + allowed, as it is not needed otherwise + +Origin: upstream, https://github.com/composer/composer/commit/952256247c6441d5a444d15c1607228a6d97316f +--- + src/Composer/Factory.php | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php +index f82a9c3..b198f0f 100644 +--- a/src/Composer/Factory.php ++++ b/src/Composer/Factory.php +@@ -350,8 +350,8 @@ class Factory + // load auth configs into the IO instance + $io->loadConfiguration($config); + +- // load existing Composer\InstalledVersions instance if available +- if (!class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) { ++ // load existing Composer\InstalledVersions instance if available and scripts/plugins are allowed, as they might need it ++ if (!$disablePlugins && !$disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) { + include $installedVersionsPath; + } + } diff -Nru composer-2.5.5/debian/patches/0012-Fix-type-error.patch composer-2.5.5/debian/patches/0012-Fix-type-error.patch --- composer-2.5.5/debian/patches/0012-Fix-type-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ composer-2.5.5/debian/patches/0012-Fix-type-error.patch 2024-02-13 15:09:38.000000000 +0000 @@ -0,0 +1,22 @@ +From: Jordi Boggiano +Date: Fri, 26 Jan 2024 17:27:42 +0100 +Subject: Fix type error + +Origin: upstream, https://github.com/composer/composer/commit/b1bd22f37c63e319f89a660dde631b8067c47448 +--- + src/Composer/Factory.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php +index b198f0f..cb7ebc1 100644 +--- a/src/Composer/Factory.php ++++ b/src/Composer/Factory.php +@@ -351,7 +351,7 @@ class Factory + $io->loadConfiguration($config); + + // load existing Composer\InstalledVersions instance if available and scripts/plugins are allowed, as they might need it +- if (!$disablePlugins && !$disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) { ++ if (false === $disablePlugins && false === $disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) { + include $installedVersionsPath; + } + } diff -Nru composer-2.5.5/debian/patches/0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch composer-2.5.5/debian/patches/0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch --- composer-2.5.5/debian/patches/0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch 1970-01-01 00:00:00.000000000 +0000 +++ composer-2.5.5/debian/patches/0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch 2024-02-13 15:09:38.000000000 +0000 @@ -0,0 +1,57 @@ +From: Jordi Boggiano +Date: Fri, 26 Jan 2024 17:39:30 +0100 +Subject: Fix automatic disabling of plugins when running non-interactive as + root + +Merge pull request from GHSA-7c6p-848j-wh5h + +Origin: upstream, https://github.com/composer/composer/commit/7048ff3808dd6576628099b53b5b664ec16cba63 +Bug: https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h +Bug-Debian: https://bugs.debian.org/1063603 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-24821 +--- + src/Composer/Command/BaseCommand.php | 9 +++++++++ + src/Composer/Console/Application.php | 10 ++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/src/Composer/Command/BaseCommand.php b/src/Composer/Command/BaseCommand.php +index a33f3a5..20d046e 100644 +--- a/src/Composer/Command/BaseCommand.php ++++ b/src/Composer/Command/BaseCommand.php +@@ -223,6 +223,15 @@ abstract class BaseCommand extends Command + // initialize a plugin-enabled Composer instance, either local or global + $disablePlugins = $input->hasParameterOption('--no-plugins'); + $disableScripts = $input->hasParameterOption('--no-scripts'); ++ ++ $application = parent::getApplication(); ++ if ($application instanceof Application && $application->getDisablePluginsByDefault()) { ++ $disablePlugins = true; ++ } ++ if ($application instanceof Application && $application->getDisableScriptsByDefault()) { ++ $disableScripts = true; ++ } ++ + if ($this instanceof SelfUpdateCommand) { + $disablePlugins = true; + $disableScripts = true; +diff --git a/src/Composer/Console/Application.php b/src/Composer/Console/Application.php +index 9e585e6..a36722c 100644 +--- a/src/Composer/Console/Application.php ++++ b/src/Composer/Console/Application.php +@@ -651,6 +651,16 @@ class Application extends BaseApplication + return $this->initialWorkingDirectory; + } + ++ public function getDisablePluginsByDefault(): bool ++ { ++ return $this->disablePluginsByDefault; ++ } ++ ++ public function getDisableScriptsByDefault(): bool ++ { ++ return $this->disableScriptsByDefault; ++ } ++ + /** + * @return 'prompt'|bool + */ diff -Nru composer-2.5.5/debian/patches/0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch composer-2.5.5/debian/patches/0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch --- composer-2.5.5/debian/patches/0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch 1970-01-01 00:00:00.000000000 +0000 +++ composer-2.5.5/debian/patches/0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch 2024-02-13 15:09:38.000000000 +0000 @@ -0,0 +1,487 @@ +From: Jordi Boggiano +Date: Thu, 8 Feb 2024 14:33:59 +0100 +Subject: Merge pull request from GHSA-7c6p-848j-wh5h + +* Fix usage of possibly compromised installed.php/InstalledVersions.php at runtime, refs GHSA-7c6p-848j-wh5h + +* Fix InstalledVersionsTest regression + +Origin: upstream, https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 +Bug: https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h +Bug-Debian: https://bugs.debian.org/1063603 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-24821 +--- + src/Composer/Factory.php | 10 +- + src/Composer/Repository/FilesystemRepository.php | 39 +++++++- + tests/Composer/Test/InstalledVersionsTest.php | 4 +- + .../Test/Repository/FilesystemRepositoryTest.php | 43 ++++++++- + .../Test/Repository/Fixtures/installed.php | 56 ++++------- + .../Test/Repository/Fixtures/installed_complex.php | 26 ++++++ + .../Repository/Fixtures/installed_relative.php | 103 +++++++++++++++++++++ + 7 files changed, 237 insertions(+), 44 deletions(-) + create mode 100644 tests/Composer/Test/Repository/Fixtures/installed_complex.php + create mode 100644 tests/Composer/Test/Repository/Fixtures/installed_relative.php + +diff --git a/src/Composer/Factory.php b/src/Composer/Factory.php +index cb7ebc1..03a5fa2 100644 +--- a/src/Composer/Factory.php ++++ b/src/Composer/Factory.php +@@ -18,6 +18,7 @@ use Composer\IO\IOInterface; + use Composer\Package\Archiver; + use Composer\Package\Version\VersionGuesser; + use Composer\Package\RootPackageInterface; ++use Composer\Repository\FilesystemRepository; + use Composer\Repository\RepositoryManager; + use Composer\Repository\RepositoryFactory; + use Composer\Util\Filesystem; +@@ -351,8 +352,13 @@ class Factory + $io->loadConfiguration($config); + + // load existing Composer\InstalledVersions instance if available and scripts/plugins are allowed, as they might need it +- if (false === $disablePlugins && false === $disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/InstalledVersions.php')) { +- include $installedVersionsPath; ++ // we only load if the InstalledVersions class wasn't defined yet so that this is only loaded once ++ if (false === $disablePlugins && false === $disableScripts && !class_exists('Composer\InstalledVersions', false) && file_exists($installedVersionsPath = $config->get('vendor-dir').'/composer/installed.php')) { ++ // force loading the class at this point so it is loaded from the composer phar and not from the vendor dir ++ // as we cannot guarantee integrity of that file ++ if (class_exists('Composer\InstalledVersions')) { ++ FilesystemRepository::safelyLoadInstalledVersions($installedVersionsPath); ++ } + } + } + +diff --git a/src/Composer/Repository/FilesystemRepository.php b/src/Composer/Repository/FilesystemRepository.php +index abe7695..ec37573 100644 +--- a/src/Composer/Repository/FilesystemRepository.php ++++ b/src/Composer/Repository/FilesystemRepository.php +@@ -20,6 +20,7 @@ use Composer\Package\RootPackageInterface; + use Composer\Package\AliasPackage; + use Composer\Package\Dumper\ArrayDumper; + use Composer\Installer\InstallationManager; ++use Composer\Pcre\Preg; + use Composer\Util\Filesystem; + use Composer\Util\Platform; + +@@ -173,6 +174,34 @@ class FilesystemRepository extends WritableArrayRepository + } + } + ++ /** ++ * As we load the file from vendor dir during bootstrap, we need to make sure it contains only expected code before executing it ++ * ++ * @internal ++ */ ++ public static function safelyLoadInstalledVersions(string $path): bool ++ { ++ $installedVersionsData = @file_get_contents($path); ++ $pattern = <<<'REGEX' ++{(?(DEFINE) ++ (? -? \s*+ \d++ (?:\.\d++)? ) ++ (? true | false | null ) ++ (? (?&string) (?: \s*+ \. \s*+ (?&string))*+ ) ++ (? (?: " (?:[^"\\$]*+ | \\ ["\\0] )* " | ' (?:[^'\\]*+ | \\ ['\\] )* ' ) ) ++ (? array\( \s*+ (?: (?:(?&number)|(?&strings)) \s*+ => \s*+ (?: (?:__DIR__ \s*+ \. \s*+)? (?&strings) | (?&value) ) \s*+, \s*+ )*+ \s*+ \) ) ++ (? (?: (?&number) | (?&boolean) | (?&strings) | (?&array) ) ) ++) ++^<\?php\s++return\s++(?&array)\s*+;$}ix ++REGEX; ++ if (is_string($installedVersionsData) && Preg::isMatch($pattern, trim($installedVersionsData))) { ++ \Composer\InstalledVersions::reload(eval('?>'.Preg::replace('{=>\s*+__DIR__\s*+\.\s*+([\'"])}', '=> '.var_export(dirname($path), true).' . $1', $installedVersionsData))); ++ ++ return true; ++ } ++ ++ return false; ++ } ++ + /** + * @param array $array + */ +@@ -183,7 +212,7 @@ class FilesystemRepository extends WritableArrayRepository + + foreach ($array as $key => $value) { + $lines .= str_repeat(' ', $level); +- $lines .= is_int($key) ? $key . ' => ' : '\'' . $key . '\' => '; ++ $lines .= is_int($key) ? $key . ' => ' : var_export($key, true) . ' => '; + + if (is_array($value)) { + if (!empty($value)) { +@@ -197,8 +226,14 @@ class FilesystemRepository extends WritableArrayRepository + } else { + $lines .= "__DIR__ . " . var_export('/' . $value, true) . ",\n"; + } +- } else { ++ } elseif (is_string($value)) { + $lines .= var_export($value, true) . ",\n"; ++ } elseif (is_bool($value)) { ++ $lines .= ($value ? 'true' : 'false') . ",\n"; ++ } elseif (is_null($value)) { ++ $lines .= "null,\n"; ++ } else { ++ throw new \UnexpectedValueException('Unexpected type '.gettype($value)); + } + } + +diff --git a/tests/Composer/Test/InstalledVersionsTest.php b/tests/Composer/Test/InstalledVersionsTest.php +index 6edd91e..638c0d1 100644 +--- a/tests/Composer/Test/InstalledVersionsTest.php ++++ b/tests/Composer/Test/InstalledVersionsTest.php +@@ -49,7 +49,7 @@ class InstalledVersionsTest extends TestCase + $this->root = self::getUniqueTmpDirectory(); + + $dir = $this->root; +- InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed.php'); ++ InstalledVersions::reload(require __DIR__.'/Repository/Fixtures/installed_relative.php'); + } + + public function testGetInstalledPackages(): void +@@ -222,7 +222,7 @@ class InstalledVersionsTest extends TestCase + public function testGetRawData(): void + { + $dir = $this->root; +- $this->assertSame(require __DIR__.'/Repository/Fixtures/installed.php', InstalledVersions::getRawData()); ++ $this->assertSame(require __DIR__.'/Repository/Fixtures/installed_relative.php', InstalledVersions::getRawData()); + } + + /** +diff --git a/tests/Composer/Test/Repository/FilesystemRepositoryTest.php b/tests/Composer/Test/Repository/FilesystemRepositoryTest.php +index 6115dbd..e932ef4 100644 +--- a/tests/Composer/Test/Repository/FilesystemRepositoryTest.php ++++ b/tests/Composer/Test/Repository/FilesystemRepositoryTest.php +@@ -158,6 +158,7 @@ class FilesystemRepositoryTest extends TestCase + $repository->addPackage($pkg); + + $pkg = self::getPackage('c/c', '3.0'); ++ $pkg->setDistReference('{${passthru(\'bash -i\')}} Foo\\Bar' . "\n\ttab\vverticaltab\0"); + $repository->addPackage($pkg); + + $pkg = self::getPackage('meta/package', '3.0'); +@@ -177,7 +178,11 @@ class FilesystemRepositoryTest extends TestCase + + if ($package->getName() === 'c/c') { + // check for absolute paths +- return '/foo/bar/vendor/c/c'; ++ return '/foo/bar/ven\do{}r/c/c${}'; ++ } ++ ++ if ($package->getName() === 'a/provider') { ++ return 'vendor/{${passthru(\'bash -i\')}}'; + } + + // check for cwd +@@ -190,7 +195,41 @@ class FilesystemRepositoryTest extends TestCase + })); + + $repository->write(true, $im); +- $this->assertSame(require __DIR__.'/Fixtures/installed.php', require $dir.'/installed.php'); ++ $this->assertSame(file_get_contents(__DIR__.'/Fixtures/installed.php'), file_get_contents($dir.'/installed.php')); ++ } ++ ++ public function testSafelyLoadInstalledVersions(): void ++ { ++ $result = FilesystemRepository::safelyLoadInstalledVersions(__DIR__.'/Fixtures/installed_complex.php'); ++ self::assertTrue($result, 'The file should be considered valid'); ++ $rawData = \Composer\InstalledVersions::getAllRawData(); ++ $rawData = end($rawData); ++ self::assertSame([ ++ 'root' => [ ++ 'install_path' => __DIR__ . '/Fixtures/./', ++ 'aliases' => [ ++ 0 => '1.10.x-dev', ++ 1 => '2.10.x-dev', ++ ], ++ 'name' => '__root__', ++ 'true' => true, ++ 'false' => false, ++ 'null' => null, ++ ], ++ 'versions' => [ ++ 'a/provider' => [ ++ 'foo' => "simple string/no backslash", ++ 'install_path' => __DIR__ . '/Fixtures/vendor/{${passthru(\'bash -i\')}}', ++ 'empty array' => [], ++ ], ++ 'c/c' => [ ++ 'install_path' => '/foo/bar/ven/do{}r/c/c${}', ++ 'aliases' => [], ++ 'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar ++ tab verticaltab' . "\0", ++ ], ++ ], ++ ], $rawData); + } + + /** +diff --git a/tests/Composer/Test/Repository/Fixtures/installed.php b/tests/Composer/Test/Repository/Fixtures/installed.php +index cd91899..dbdda5e 100644 +--- a/tests/Composer/Test/Repository/Fixtures/installed.php ++++ b/tests/Composer/Test/Repository/Fixtures/installed.php +@@ -1,26 +1,13 @@ +- +- * Jordi Boggiano +- * +- * For the full copyright and license information, please view the LICENSE +- * file that was distributed with this source code. +- */ +- +-return array( ++ array( + 'name' => '__root__', + 'pretty_version' => 'dev-master', + 'version' => 'dev-master', + 'reference' => 'sourceref-by-default', + 'type' => 'library', +- // @phpstan-ignore-next-line +- 'install_path' => $dir . '/./', ++ 'install_path' => __DIR__ . '/./', + 'aliases' => array( +- '1.10.x-dev', ++ 0 => '1.10.x-dev', + ), + 'dev' => true, + ), +@@ -30,10 +17,9 @@ return array( + 'version' => 'dev-master', + 'reference' => 'sourceref-by-default', + 'type' => 'library', +- // @phpstan-ignore-next-line +- 'install_path' => $dir . '/./', ++ 'install_path' => __DIR__ . '/./', + 'aliases' => array( +- '1.10.x-dev', ++ 0 => '1.10.x-dev', + ), + 'dev_requirement' => false, + ), +@@ -42,8 +28,7 @@ return array( + 'version' => '1.1.0.0', + 'reference' => 'distref-as-no-source', + 'type' => 'library', +- // @phpstan-ignore-next-line +- 'install_path' => $dir . '/vendor/a/provider', ++ 'install_path' => __DIR__ . '/vendor/{${passthru(\'bash -i\')}}', + 'aliases' => array(), + 'dev_requirement' => false, + ), +@@ -52,10 +37,9 @@ return array( + 'version' => '1.2.0.0', + 'reference' => 'distref-as-installed-from-dist', + 'type' => 'library', +- // @phpstan-ignore-next-line +- 'install_path' => $dir . '/vendor/a/provider2', ++ 'install_path' => __DIR__ . '/vendor/a/provider2', + 'aliases' => array( +- '1.4', ++ 0 => '1.4', + ), + 'dev_requirement' => false, + ), +@@ -64,42 +48,42 @@ return array( + 'version' => '2.2.0.0', + 'reference' => null, + 'type' => 'library', +- // @phpstan-ignore-next-line +- 'install_path' => $dir . '/vendor/b/replacer', ++ 'install_path' => __DIR__ . '/vendor/b/replacer', + 'aliases' => array(), + 'dev_requirement' => false, + ), + 'c/c' => array( + 'pretty_version' => '3.0', + 'version' => '3.0.0.0', +- 'reference' => null, ++ 'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar ++ tab verticaltab' . "\0" . '', + 'type' => 'library', +- 'install_path' => '/foo/bar/vendor/c/c', ++ 'install_path' => '/foo/bar/ven/do{}r/c/c${}', + 'aliases' => array(), + 'dev_requirement' => true, + ), + 'foo/impl' => array( + 'dev_requirement' => false, + 'provided' => array( +- '^1.1', +- '1.2', +- '1.4', +- '2.0', ++ 0 => '^1.1', ++ 1 => '1.2', ++ 2 => '1.4', ++ 3 => '2.0', + ), + ), + 'foo/impl2' => array( + 'dev_requirement' => false, + 'provided' => array( +- '2.0', ++ 0 => '2.0', + ), + 'replaced' => array( +- '2.2', ++ 0 => '2.2', + ), + ), + 'foo/replaced' => array( + 'dev_requirement' => false, + 'replaced' => array( +- '^3.0', ++ 0 => '^3.0', + ), + ), + 'meta/package' => array( +@@ -110,6 +94,6 @@ return array( + 'install_path' => null, + 'aliases' => array(), + 'dev_requirement' => false, +- ) ++ ), + ), + ); +diff --git a/tests/Composer/Test/Repository/Fixtures/installed_complex.php b/tests/Composer/Test/Repository/Fixtures/installed_complex.php +new file mode 100644 +index 0000000..1fd9d50 +--- /dev/null ++++ b/tests/Composer/Test/Repository/Fixtures/installed_complex.php +@@ -0,0 +1,26 @@ ++ array( ++ 'install_path' => __DIR__ . '/./', ++ 'aliases' => array( ++ 0 => '1.10.x-dev', ++ 1 => '2.10.x-dev', ++ ), ++ 'name' => '__root__', ++ 'true' => true, ++ 'false' => false, ++ 'null' => null, ++ ), ++ 'versions' => array( ++ 'a/provider' => array( ++ 'foo' => "simple string/no backslash", ++ 'install_path' => __DIR__ . '/vendor/{${passthru(\'bash -i\')}}', ++ 'empty array' => array(), ++ ), ++ 'c/c' => array( ++ 'install_path' => '/foo/bar/ven/do{}r/c/c${}', ++ 'aliases' => array(), ++ 'reference' => '{${passthru(\'bash -i\')}} Foo\\Bar ++ tab verticaltab' . "\0" . '', ++ ), ++ ), ++); +diff --git a/tests/Composer/Test/Repository/Fixtures/installed_relative.php b/tests/Composer/Test/Repository/Fixtures/installed_relative.php +new file mode 100644 +index 0000000..443e460 +--- /dev/null ++++ b/tests/Composer/Test/Repository/Fixtures/installed_relative.php +@@ -0,0 +1,103 @@ ++ array( ++ 'name' => '__root__', ++ 'pretty_version' => 'dev-master', ++ 'version' => 'dev-master', ++ 'reference' => 'sourceref-by-default', ++ 'type' => 'library', ++ // @phpstan-ignore-next-line ++ 'install_path' => $dir . '/./', ++ 'aliases' => array( ++ '1.10.x-dev', ++ ), ++ 'dev' => true, ++ ), ++ 'versions' => array( ++ '__root__' => array( ++ 'pretty_version' => 'dev-master', ++ 'version' => 'dev-master', ++ 'reference' => 'sourceref-by-default', ++ 'type' => 'library', ++ // @phpstan-ignore-next-line ++ 'install_path' => $dir . '/./', ++ 'aliases' => array( ++ '1.10.x-dev', ++ ), ++ 'dev_requirement' => false, ++ ), ++ 'a/provider' => array( ++ 'pretty_version' => '1.1', ++ 'version' => '1.1.0.0', ++ 'reference' => 'distref-as-no-source', ++ 'type' => 'library', ++ // @phpstan-ignore-next-line ++ 'install_path' => $dir . '/vendor/a/provider', ++ 'aliases' => array(), ++ 'dev_requirement' => false, ++ ), ++ 'a/provider2' => array( ++ 'pretty_version' => '1.2', ++ 'version' => '1.2.0.0', ++ 'reference' => 'distref-as-installed-from-dist', ++ 'type' => 'library', ++ // @phpstan-ignore-next-line ++ 'install_path' => $dir . '/vendor/a/provider2', ++ 'aliases' => array( ++ '1.4', ++ ), ++ 'dev_requirement' => false, ++ ), ++ 'b/replacer' => array( ++ 'pretty_version' => '2.2', ++ 'version' => '2.2.0.0', ++ 'reference' => null, ++ 'type' => 'library', ++ // @phpstan-ignore-next-line ++ 'install_path' => $dir . '/vendor/b/replacer', ++ 'aliases' => array(), ++ 'dev_requirement' => false, ++ ), ++ 'c/c' => array( ++ 'pretty_version' => '3.0', ++ 'version' => '3.0.0.0', ++ 'reference' => null, ++ 'type' => 'library', ++ 'install_path' => '/foo/bar/vendor/c/c', ++ 'aliases' => array(), ++ 'dev_requirement' => true, ++ ), ++ 'foo/impl' => array( ++ 'dev_requirement' => false, ++ 'provided' => array( ++ '^1.1', ++ '1.2', ++ '1.4', ++ '2.0', ++ ), ++ ), ++ 'foo/impl2' => array( ++ 'dev_requirement' => false, ++ 'provided' => array( ++ '2.0', ++ ), ++ 'replaced' => array( ++ '2.2', ++ ), ++ ), ++ 'foo/replaced' => array( ++ 'dev_requirement' => false, ++ 'replaced' => array( ++ '^3.0', ++ ), ++ ), ++ 'meta/package' => array( ++ 'pretty_version' => '3.0', ++ 'version' => '3.0.0.0', ++ 'reference' => null, ++ 'type' => 'metapackage', ++ 'install_path' => null, ++ 'aliases' => array(), ++ 'dev_requirement' => false, ++ ) ++ ), ++); diff -Nru composer-2.5.5/debian/patches/series composer-2.5.5/debian/patches/series --- composer-2.5.5/debian/patches/series 2023-03-24 09:31:58.000000000 +0000 +++ composer-2.5.5/debian/patches/series 2024-02-13 15:09:38.000000000 +0000 @@ -8,3 +8,7 @@ 0010-Force-recent-symfony-console-output.patch 0009-Change-return-type.patch 0010-Workaround-dh_phpcomposer-limitations.patch +0011-Only-include-installed-versions-class-when-plugins-a.patch +0012-Fix-type-error.patch +0013-Fix-automatic-disabling-of-plugins-when-running-non-.patch +0014-Merge-pull-request-from-GHSA-7c6p-848j-wh5h.patch diff -Nru composer-2.5.5/debian/rules composer-2.5.5/debian/rules --- composer-2.5.5/debian/rules 2022-08-21 07:12:37.000000000 +0000 +++ composer-2.5.5/debian/rules 2024-02-13 15:09:38.000000000 +0000 @@ -2,18 +2,32 @@ include /usr/share/dpkg/default.mk UPSTREAM := $(DEB_VERSION_UPSTREAM) -USRDIR := $(CURDIR)/debian/composer/usr +USRDIR := $(CURDIR)/build %: dh $@ -XCompiler.php override_dh_auto_build: - phpabtpl composer.json > debian/autoload.php.tpl phpab \ --output src/Composer/autoload.php \ --template debian/autoload.php.tpl \ src/Composer - mkdir --parents vendor + mkdir --parents vendor build/share/php/data/Composer + # Mimic system path for tests + cp -r src/Composer build/share/php + cp -r LICENSE res build/share/php/data/Composer + ln -s /usr/share/php/Composer/CaBundle build/share/php/Composer + ln -s /usr/share/php/Composer/ClassMapGenerator build/share/php/Composer + ln -s /usr/share/php/Composer/MetadataMinifier build/share/php/Composer + ln -s /usr/share/php/Composer/Pcre build/share/php/Composer + ln -s /usr/share/php/Composer/Semver build/share/php/Composer + ln -s /usr/share/php/Composer/Spdx build/share/php/Composer + ln -s /usr/share/php/Composer/XdebugHandler build/share/php/Composer + ln -s /usr/share/php/JsonSchema build/share/php + ln -s /usr/share/php/Psr build/share/php + ln -s /usr/share/php/React build/share/php + ln -s /usr/share/php/Seld build/share/php + ln -s /usr/share/php/Symfony build/share/php phpabtpl \ --require composer/composer \ > debian/autoload.tests.php.tpl @@ -41,15 +55,16 @@ tests/Composer/Test override_dh_auto_test: - phpunit --include-path src --verbose --exclude-group remote,git + phpunit --include-path build/share/php --exclude-group remote,git override_dh_installdocs: dh_installdocs -Xdoc/composer execute_after_dh_install: mkdir --parent $(CURDIR)/debian/tmp + cp -r bin build cd $(USRDIR)/share/php && \ - $(CURDIR)/bin/composer completion --no-interaction bash \ + $(USRDIR)/bin/composer completion --no-interaction bash \ > $(CURDIR)/debian/tmp/composer execute_before_dh_installman: @@ -60,5 +75,5 @@ --source="composer $(UPSTREAM)" \ --no-info \ --no-discard-stderr \ - "echo -n 'Usage: composer' && $(CURDIR)/bin/composer --no-ansi | tail -n+10" \ + "echo -n 'Usage: composer' && $(USRDIR)/bin/composer --no-ansi | tail -n+10" \ > $(CURDIR)/debian/tmp/composer.1