chore(deps): update dependency composer/composer to v2.10.1

[renovate]

This PR contains the following updates:

Package	Update	Change
composer/composer	minor	2.9.5 → 2.10.1

---

Release Notes

composer/composer (composer/composer)

v2.10.1

Compare Source

• Security: Fixed shell escaping when opening an editor (#​12903)
  • Security: Verify backup phar signature before restoring it when using self-update --rollback (#​12918)
  • Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#​12888)
  • Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#​12912)
  • Fixed GitHub token prompt happening multiple times on parallel auth failures (#​12913)
  • Fixed warnings from Composer repositories being printed twice in some cases (#​12907)

v2.10.0

Compare Source

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#​12885)
  • BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#​12881)
  • Security: Hardened output filtering of URLs to reduce chances of token leaks (#​12882, #​12886)
  • Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#​12884)
  • Fixed audit command returning a success code when the vendor dir was not present (#​12880)

v2.9.8

Compare Source

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

v2.9.7

Compare Source

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#​12802)

v2.9.6

Compare Source

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
  • Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
  • Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3)
  • Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77)
  • Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc08)
  • Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c76)
  • Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#​12758)
  • Fixed GitHub API authentication errors not being visible to the user (#​12737)
  • Fixed some platform package parsing failing when Composer runs in web SAPIs (#​12735)
  • Fixed error reporting for clarity when a constraint cannot be parsed (#​12743)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Every minute (* * * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.