1.0.2

• Fixed regression in 1.0.1 on systems with mbstring.func_overload enabled
• Fixed regression in 1.0.1 that made dev packages update to the latest reference even if not whitelisted in a partial update
• Fixed init command ignoring the COMPOSER env var for choosing the json file name
• Fixed error reporting bug when the dependency resolution fails
• Fixed handling of $ sign in composer config command in some cases it could corrupt the json file

1.0.1

• Fixed URL updating when a package's URL changes, composer.lock now contains the right URL including correct reference
• Fixed URL updating of the origin git remote as well for packages installed as git clone
• Fixed binary .bat files generated from linux being incompatible with windows cmd
• Fixed handling of paths with trailing slashes in path repository
• Fixed create-project not using platform config when selecting a package
• Fixed self-update not showing the channel it uses to perform the update
• Fixed file downloads not failing loudly when the content does not match the Content-Length header
• Fixed secure-http detecting some malformed URLs as insecure
• Updated CA bundle

1.0.0

• Added support for bitbucket-oauth configuration
• Added warning when running composer as super user, set COMPOSER_ALLOW_SUPERUSER=1 to hide the warning if you really must
• Added PluginManager::getGlobalComposer getter to retrieve the global instance (which can be null!)
• Fixed dependency solver error reporting in many cases it now shows you proper errors instead of just saying a package does not exist
• Fixed output of failed downloads appearing as 100% done instead of Failed
• Fixed handling of empty directories when archiving, they are not skipped anymore
• Fixed installation of broken plugins corrupting the vendor state when combined with symlinked path repositories

1.0.0-beta2

• Break: The install command now turns into an update command automatically if you have no composer.lock. This was done only half-way before which caused inconsistencies
• Break: By default the remove command now removes dependencies as well, and --update-with-dependencies is deprecated. Use --no-update-with-dependencies to get old behavior
• Added support for update channels in self-update. All users will now update to stable builds by default. Run self-update with --snapshot, --preview or --stable to switch between update channels.
• Added support for SSL_CERT_DIR env var and openssl.capath ini value
• Added some conflict detection in why-not command
• Added suggestion of root package's suggests in create-project command
• Fixed create-project ignoring --ignore-platform-reqs when choosing a version of the package
• Fixed search command in a directory without composer.json
• Fixed path repository handling of symlinks on windows
• Fixed PEAR repo handling to prefer HTTPS mirrors over HTTP ones
• Fixed handling of Path env var on Windows, only PATH was accepted before
• Small error reporting and docs improvements

1.0.0-beta1

• Break: By default we now disable any non-secure protocols (http, git, svn). This may lead to issues if you rely on those. See secure-http config option.
• Break: show / list command now only show installed packages by default. An --all option is added to show all packages.
• Added VCS repo support for the GitLab API, see also gitlab-oauth and gitlab-domains config options
• Added prohibits / why-not command to show what blocks an upgrade to a given package:version pair
• Added --tree / -t to the show command to see all your installed packages in a tree view
• Added --interactive / -i to the update command, which lets you pick packages to update interactively
• Added exec command to run binaries while having bin-dir in the PATH for convenience
• Added --root-reqs to the update command to update only your direct, first degree dependencies
• Added cafile and capath config options to control HTTPS certificate authority
• Added pubkey verification of composer.phar when running self-update
• Added possibility to configure per-package preferred-install types for more flexibility between prefer-source and prefer-dist
• Added unpushed-changes detection when updating dependencies and in the status command
• Added COMPOSER_AUTH env var that lets you pass a json configuration like the auth.json file
• Added secure-http and disable-tls config options to control HTTPS/HTTP
• Added warning when Xdebug is enabled as it reduces performance quite a bit, hide it with COMPOSER_DISABLE_XDEBUG_WARN=1 if you must
• Added duplicate key detection when loading composer.json
• Added sort-packages config option to force sorting of the requirements when using the require command
• Added support for the XDG Base Directory spec on linux
• Added XzDownloader for xz file support
• Fixed SSL support to fully verify peers in all PHP versions, unsecure HTTP is also disabled by default
• Fixed stashing and cleaning up of untracked files when updating packages
• Fixed plugins being enabled after installation even when --no-plugins
• Many small bug fixes and additions

1.0.0-alpha11

• Added config.platform to let you specify what your target environment looks like and make sure you do not inadvertently install dependencies that would break it
• Added exclude-from-classmap in the autoload config that lets you ignore sub-paths of classmapped directories, or psr-0/4 directories when building optimized autoloaders
• Added path repository type to install/symlink packages from local paths
• Added possibility to reference script handlers from within other handlers using @script-name to reduce duplication
• Added suggests command to show what packages are suggested, use -v to see more details
• Added content-hash inside the composer.lock to restrict the warnings about outdated lock file to some specific changes in the composer.json file
• Added archive-format and archive-dir config options to specify default values for the archive command
• Added --classmap-authoritative to install, update, require, remove and dump-autoload commands, forcing the optimized classmap to be authoritative
• Added -A / --with-dependencies to the validate command to allow validating all your dependencies recursively
• Added --strict to the validate command to treat any warning as an error that then returns a non-zero exit code
• Added a dependency on composer/semver, which is the externalized lib for all the version constraints parsing and handling
• Added support for classmap autoloading to load plugin classes and script handlers
• Added bin-compat config option that if set to full will create .bat proxy for binaries even if Compoesr runs in a linux VM
• Added SPDX 2.0 support, and externalized that in a composer/spdx-licenses lib
• Added warnings when the classmap autoloader finds duplicate classes
• Added --file to the archive command to choose the filename
• Added Ctrl+C handling in create-project to cancel the operation cleanly
• Fixed version guessing to use ^ always, default to stable versions, and avoid versions that require a higher php version than you have
• Fixed the lock file switching back and forth between old and new URL when a package URL is changed and many people run updates
• Fixed partial updates updating things they shouldn't when the current vendor dir was out of date with the lock file
• Fixed PHAR file creation to be more reproducible and always generate the exact same phar file from a given source
• Fixed issue when checking out git branches or tags that are also the name of a file in the repo
• Many minor fixes and documentation additions and UX improvements

1.0.0-alpha10

• Break: The following event classes are deprecated and you should update your script handlers to use the new ones in type hints:
  • Composer\Script\CommandEvent is deprecated, use Composer\Script\Event
  • Composer\Script\PackageEvent is deprecated, use Composer\Installer\PackageEvent
• Break: Output is now split between stdout and stderr. Any irrelevant output to each command is on stderr as per unix best practices.
• Added support for npm-style semver operators (^ and - ranges, (space) = AND,|| = OR)
• Added --prefer-lowest to update command to allow testing a package with the lowest declared dependencies
• Added support for parsing semver build metadata +anything at the end of versions
• Added --sort-packages option to require command for sorting dependencies
• Added --no-autoloader to install and update commands to skip autoload generation
• Added --list to run-script command to see available scripts
• Added --absolute to config command to get back absolute paths
• Added classmap-authoritative config option, if enabled only the classmap info will be used by the composer autoloader
• Added support for branch-alias on numeric branches
• Added support for the https_proxy/HTTPS_PROXY env vars used only for https URLs
• Added support for using real composer repos as local paths in create-project command
• Added --no-dev to licenses command
• Added support for PHP 7.0 nightly builds
• Fixed detection of stability when parsing multiple constraints
• Fixed installs from lock file containing updated composer.json requirement
• Fixed the autoloader suffix in vendor/autoload.php changing in every build
• Many minor fixes, documentation additions and UX improvements

1.0.0-alpha9

• Added remove command to do the reverse of require
• Added --ignore-platform-reqs to install/update commands to install even if you are missing a php extension or have an invalid php version
• Added a warning when abandoned packages are being installed
• Added auto-selection of the version constraint in the require command, which can now be used simply as composer require foo/bar
• Added ability to define custom composer commands using scripts
• Added browse command to open a browser to the given package's repo URL (or homepage with -H)
• Added an autoload-dev section to declare dev-only autoload rules + a --no-dev flag to dump-autoload
• Added an auth.json file, with store-auths config option
• Added a http-basic config option to store login/pwds to hosts
• Added failover to source/dist and vice-versa in case a download method fails
• Added --path (-P) flag to the show command to see the install path of packages
• Added --update-with-dependencies and --update-no-dev flags to the require command
• Added optimize-autoloader config option to force the -o flag from the config
• Added clear-cache command
• Added a GzipDownloader to download single gzipped files
• Added ssh support in the github-protocols config option
• Added pre-dependencies-solving and post-dependencies-solving events
• Added pre-archive-cmd and post-archive-cmd script events to the archive command
• Added a no-api flag to GitHub VCS repos to skip the API but still get zip downloads
• Added http-basic auth support for private git repos not on github
• Added support for autoloading .hh files when running HHVM
• Added support for PHP 5.6
• Added support for OTP auth when retrieving a GitHub API key
• Fixed isolation of files autoloaded scripts to ensure they can not affect anything
• Improved performance of solving dependencies
• Improved SVN and Perforce support
• A boatload of minor fixes, documentation additions and UX improvements

1.0.0-alpha8

• Break: The install command now has --dev enabled by default. --no-dev can be used to install without dev requirements
• Added composer-plugin package type to allow extensibility, and deprecated composer-installer
• Added psr-4 autoloading support and deprecated target-dir since it is a better alternative
• Added --no-plugins flag to replace --no-custom-installers where available
• Added global command to operate Composer in a user-global directory
• Added licenses command to list the license of all your dependencies
• Added pre-status-cmd and post-status-cmd script events to the status command
• Added post-root-package-install and post-create-project-cmd script events to the create-project command
• Added pre-autoload-dump script event
• Added --rollback flag to self-update
• Added --no-install flag to create-project to skip installing the dependencies
• Added a hhvm platform package to require Facebook's HHVM implementation of PHP
• Added github-domains config option to allow using GitHub Enterprise with Composer's GitHub support
• Added prepend-autoloader config option to allow appending Composer's autoloader instead of the default prepend behavior
• Added Perforce support to the VCS repository
• Added a vendor/composer/autoload_files.php file that lists all files being included by the files autoloader
• Added support for the no_proxy env var and other proxy support improvements
• Added many robustness tweaks to make sure zip downloads work more consistently and corrupted caches are invalidated
• Added the release date to composer -V output
• Added autoloader-suffix config option to allow overriding the randomly generated autoloader class suffix
• Fixed BitBucket API usage
• Fixed parsing of inferred stability flags that are more stable than the minimum stability
• Fixed installation order of plugins/custom installers
• Fixed tilde and wildcard version constraints to be more intuitive regarding stabilities
• Fixed handling of target-dir changes when updating packages
• Improved performance of the class loader
• Improved memory usage and performance of solving dependencies
• Tons of minor bug fixes and improvements

1.0.0-alpha7

• Break: For forward compatibility, you should change your deployment scripts to run composer install --no-dev. The install command will install dev dependencies by default starting in the next release
• Break: The update command now has --dev enabled by default. --no-dev can be used to update without dev requirements, but it will create an incomplete lock file and is discouraged
• Break: Removed support for lock files created before 2012-09-15 due to their outdated unusable format
• Added prefer-stable flag to pick stable packages over unstable ones when possible
• Added preferred-install config option to always enable --prefer-source or --prefer-dist
• Added diagnose command to to system/network checks and find common problems
• Added wildcard support in the update whitelist, e.g. to update all packages of a vendor do composer update vendor/*
• Added archive command to archive the current directory or a given package
• Added run-script command to manually trigger scripts
• Added proprietary as valid license identifier for non-free code
• Added a php-64bit platform package that you can require to force a 64bit php
• Added a lib-ICU platform package
• Added a new official package type project for project-bootstrapping packages
• Added zip/dist local cache to speed up repetitive installations
• Added post-autoload-dump script event
• Added Event::getDevMode to let script handlers know if dev requirements are being installed
• Added discard-changes config option to control the default behavior when updating "dirty" dependencies
• Added use-include-path config option to make the autoloader look for files in the include path too
• Added cache-ttl, cache-files-ttl and cache-files-maxsize config option
• Added cache-dir, cache-files-dir, cache-repo-dir and cache-vcs-dir config option
• Added support for using http(s) authentication to non-github repos
• Added support for using multiple autoloaders at once (e.g. PHPUnit + application both using Composer autoloader)
• Added support for .inc files for classmap autoloading (legacy support, do not do this on new projects!)
• Added support for version constraints in show command, e.g. composer show monolog/monolog 1.4.*
• Added support for svn repositories containing packages in a deeper path (see package-path option)
• Added an artifact repository to scan a directory containing zipped packages
• Added --no-dev flag to install and update commands
• Added --stability (-s) flag to create-project to lower the required stability
• Added --no-progress to install and update to hide the progress indicators
• Added --available (-a) flag to the show command to display only available packages
• Added --name-only (-N) flag to the show command to show only package names (one per line, no formatting)
• Added --optimize-autoloader (-o) flag to optimize the autoloader from the install and update commands
• Added -vv and -vvv flags to get more verbose output, can be useful to debug some issues
• Added COMPOSER_NO_INTERACTION env var to do the equivalent of --no-interaction (should be set on build boxes, CI, PaaS)
• Added PHP 5.2 compatibility to the autoloader configuration files so they can be used to configure another autoloader
• Fixed handling of platform requirements of the root package when installing from lock
• Fixed handling of require-dev dependencies
• Fixed handling of unstable packages that should be downgraded to stable packages when updating to new version constraints
• Fixed parsing of the ~ operator combined with unstable versions
• Fixed the require command corrupting the json if the new requirement was invalid
• Fixed support of aliases used together with <version>#<reference> constraints
• Improved output of dependency solver problems by grouping versions of a package together
• Improved performance of classmap generation
• Improved mercurial support in various places
• Improved lock file format to minimize unnecessary diffs
• Improved the config command to support all options
• Improved the coverage of the validate command
• Tons of minor bug fixes and improvements