Composer 2.9 Brings Automatic Security Blocking and New Repository Commands

Automatic Security Blocking

Composer 2.9 automatically blocks updates to packages that have known security advisories. This protection is enabled by default and can be tuned via the audit.block-insecure configuration setting. It complements the existing composer audit command, which can be run against the composer.lock file to report vulnerable packages. An optional audit.block-abandoned flag can also block abandoned packages, though it is not enabled by default.

New Repository Command

The new repository command simplifies repository management from the command line. Users can add, remove, or update repositories without manually editing composer.json. Repositories are now stored as a JSON array with a name property, improving addressing and organization.

composer repo list
composer repo add foo vcs https://github.com/acme/foo
composer repo add bar composer https://repo.packagist.com/bar
composer repo add qux vcs https://example.org --after bar
composer repo remove foo
composer repo set-url foo https://git.example.org/acme/foo

Automatic Lock File Conflict Recovery

During updates, Composer can automatically recover from simple lock‑file conflicts. If only the content-hash attribute conflicts, running update --lock or update will read the lock file while ignoring Git conflict markers.

Other Notable Improvements

Minimal‑changes update: a new --minimal-changes flag updates only the packages required to satisfy change constraints.

Forgejo/Codeberg support: native handling of Forgejo repositories.

Performance: reduced autoloader creation improves script‑handler performance and adds HTTP/3 support.

For a full list of changes and bug fixes, see the complete changelog. Original announcement: https://blog.packagist.com/composer-2-9