1.10.0

• Breaking: composer global exec ... now executes the process in the current working directory instead of executing it in the global directory.
• Warning: Added a warning when class names are being loaded by a PSR-4 or PSR-0 rule only due to classmap optimization, but would not otherwise be autoloadable. Composer 2.0 will stop autoloading these classes so make sure you fix your autoload configs.
• Added new funding key to composer.json to describe ways your package's maintenance can be funded. This reads info from GitHub's FUNDING.yml by default so better configure it there so it shows on GitHub and Composer/Packagist
• Added composer fund command to show funding info of your dependencies. Read more
• Added bearer auth config to authenticate using Authorization: Bearer <token> headers
• Added plugin-api-version in composer.lock so third-party tools can know which Composer version was used to generate a lock file
• Added support for --format=json output for show command when showing a single package
• Added support for configuring suggestions using config command, e.g. composer config suggest.foo/bar some text
• Added support for configuring fine-grained preferred-install using config command, e.g. composer config preferred-install.foo/* dist
• Added @putenv script handler to set environment variables from composer.json for following scripts
• Added lock option that can be set to false, in which case no composer.lock file will be generated
• Added --add-repository flag to create-project command which will persist the repo given in --repository into the composer.json of the package being installed
• Fixed issue where --no-dev autoload generation was excluding some packages which should not have been excluded
• Added support for IPv6 addresses in NO_PROXY
• Added package homepage display in the show command
• Added debug info about HTTP authentications
• Added Symfony 5 compatibility
• Added --fixed flag to require command to make it use a fixed constraint instead of a ^x.y constraint when adding the requirement
• Fixed exclude-from-classmap matching subsets of directories e.g. foo/ was excluding foobar/
• Fixed archive command to persist file permissions inside the zip files
• Fixed init/require command to avoid suggesting packages which are already selected in the search results
• Fixed create-project UX issues
• Fixed filemtime for vendor/composer/* files is now only changing when the files actually change
• Fixed issues detecting docker environment with an active open_basedir

1.10.0-RC

• Breaking: composer global exec ... now executes the process in the current working directory instead of executing it in the global directory.
• Deprecated: Added a warning when class names are being loaded by a PSR-4 or PSR-0 rule only due to classmap optimization, but would not otherwise be autoloadable. Composer 2.0 will stop autoloading these classes so make sure you fix your autoload configs.
• Added new funding key to composer.json to describe ways your package's maintenance can be funded. This reads info from GitHub's FUNDING.yml by default so better configure it there so it shows on GitHub and Composer/Packagist
• Added composer fund command to show funding info of your dependencies
• Added support for --format=json output for show command when showing a single package
• Added support for configuring suggestions using config command, e.g. composer config suggest.foo/bar some text
• Added support for configuring fine-grained preferred-install using config command, e.g. composer config preferred-install.foo/* dist
• Added @putenv script handler to set environment variables from composer.json for following scripts
• Added lock option that can be set to false, in which case no composer.lock file will be generated
• Added --add-repository flag to create-project command which will persist the repo given in --repository into the composer.json of the package being installed
• Added support for IPv6 addresses in NO_PROXY
• Added package homepage display in the show command
• Added debug info about HTTP authentications
• Added Symfony 5 compatibility
• Added --fixed flag to require command to make it use a fixed constraint instead of a ^x.y constraint when adding the requirement
• Fixed exclude-from-classmap matching subsets of directories e.g. foo/ was excluding foobar/
• Fixed archive command to persist file permissions inside the zip files
• Fixed init/require command to avoid suggesting packages which are already selected in the search results
• Fixed create-project UX issues
• Fixed filemtime for vendor/composer/* files is now only changing when the files actually change
• Fixed issues detecting docker environment with an active open_basedir

1.9.3

• Fixed GitHub deprecation of access_token query parameter, now using Authorization header

1.9.2

• Fixed minor git driver bugs
• Fixed schema validation for version field to allow dev-* versions too
• Fixed external processes' output being formatted even though it should not
• Fixed issue with path repositories when trying to install feature branches

1.9.1

• Fixed various credential handling issues with gitlab and github
• Fixed credentials being present in git remotes in Composer cache and vendor directory when not using SSH keys
• Fixed composer why not listing replacers as a reason something is present
• Fixed various PHP 7.4 compatibility issues
• Fixed root warnings always present in Docker containers, setting COMPOSER_ALLOW_SUPERUSER is not necessary anymore
• Fixed GitHub access tokens leaking into debug-verbosity output
• Fixed several edge case issues detecting GitHub, Bitbucket and GitLab repository types
• Fixed Composer asking if you want to use a composer.json in a parent directory when ran in non-interactive mode
• Fixed classmap autoloading issue finding classes located within a few non-PHP context blocks (?>...<?php)

1.9.0

• Breaking: artifact repositories with URLs containing port numbers and requiring authentication now require you to configure http-basic auth for the host:port pair explicitly
• Added a --no-cache flag available on all commands to run with the cache disabled
• Added PHP_BINARY as env var pointing to the PHP process when executing Composer scripts as shell scripts
• Added a use-github-api config option which can set the no-api flag on all GitHub VCS repositories declared
• Added a static helper you can preprend to a script to avoid process timeouts, "Composer\\Config::disableProcessTimeout"
• Added Event::getOriginatingEvent to retrieve an event's original event when a script handler forwards to another one
• Added support for autoloading directly from a phar file
• Fixed loading order of plugins to always initialize them in order of dependencies
• Fixed various network-mount related issues
• Fixed --ignore-platform-reqs not ignoring conflict rules against platform packages

1.8.6

• Fixed handling of backslash-escapes handling in composer.json when using the require command
• Fixed create-project not following classmap-authoritative and apcu-autoloader config values
• Fixed HHVM version warning showing up in some cases when it was not in use

1.8.5

• HHVM 4.0 is no longer compatible with Composer. Please use PHP instead going forward.
• Added forward compatibility with upcoming 2.0 changes
• Fixed support for PHP 7.3-style heredoc/nowdoc syntax changes in autoload generation
• Fixed require command usage when combined with --ignore-platform-reqs
• Fixed and cleaned up various Windows junctions handling issues

1.8.4

• Fixed long standing solver bug leading to odd solving issues in edge cases, see #7946
• Fixed HHVM support for upcoming releases
• Fixed unix proxy for binaries to be POSIX compatible instead of breaking some shells
• Fixed invalid deprecation warning for composer-plugin-api
• Fixed edge case issues with Windows junctions when working with path repositories

1.8.3

• Fixed regression when executing partial updates