Bump the composer group across 1 directory with 7 updates

[dependabot]

Bumps the composer group with 7 updates in the / directory:

Package	From	To
composer/composer	2.9.5	2.10.1
google/protobuf	4.33.5	4.33.6
league/commonmark	2.8.0	2.8.2
robrichards/xmlseclibs	3.1.4	3.1.5
symfony/cache	7.4.5	7.4.13
symfony/routing	7.4.4	7.4.13
symfony/yaml	7.4.1	7.4.13

Updates composer/composer from 2.9.5 to 2.10.1

Release notes

Sourced from composer/composer's releases.

2.10.1

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

Full Changelog: composer/composer@2.10.0...2.10.1

2.10.0

Read the Composer 2.10 Release Announcement for more details on the release highlights.

Full Changelog

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Added dependency policies to block package versions where malware was detected on update/install or report it with audit (#12786)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Optimized classmap dumping performance
• Deprecated most of the audit config in favor of the new policy one (#12804, see #12786 for the RFC and upgrade docs)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

Full Changelog: composer/composer@2.9.8...2.10.0

2.10.0-RC2

Composer 2.10 is ready for a release, and we need your help to test it and report any regression.

Please try it out!

• Running composer self-update --preview will get you the 2.10.0-RC2
• Running composer self-update --stable will get you back on the latest 2.9 stable release if anything broke.
• Report any issues you encounter as a new issue specifying you tried the 2.10 RC and please include stack traces & repro details.

... (truncated)

Changelog

Sourced from composer/composer's changelog.

[2.10.1] 2026-06-04

• Security: Fixed shell escaping when opening an editor (#12903)
• Security: Verify backup phar signature before restoring it when using self-update --rollback (#12918)
• Fixed source-fallback also disabling fallbacks to dist install when source is the preferred install method (#12888)
• Fixed source -> dist package updates wiping the .git dir without checking for local changes first (#12912)
• Fixed GitHub token prompt happening multiple times on parallel auth failures (#12913)
• Fixed warnings from Composer repositories being printed twice in some cases (#12907)

[2.10.0] 2026-05-28

• BC Break / Security: Disabled automatic fallback to source checkout if dist/zip install fails, we have introduced a new source-fallback config option as a temporary way to restore the old behavior, but if you need this talk to us as we plan to remove it entirely in 2.11 (#12885)
• BC Break: Minor break for audit consumers, the exit code is now always 0 (success) or 1 if anything failed the audit (#12881)
• Security: Hardened output filtering of URLs to reduce chances of token leaks (#12882, #12886)
• Security: Fixed handling of uppercase schemes in URL validation that might have allowed https requirement bypass (#12884)
• Fixed audit command returning a success code when the vendor dir was not present (#12880)

[2.10.0-RC2] 2026-05-20

• Since 2.10.0-RC1, fixes in 2.9.6 - 2.9.8, many of which security relevant, are also included
• Since 2.10.0-RC1 a lot of the new filter list config format was modified - see #12786 for the latest state of this new feature
• Added a new policy config block to control all security related update/install/audit policies. This replaces and deprecates most of the audit config (#12804 for implementation, #12786 for RFC/upgrade docs)
• Enabled blocking of malware packages at install time by default
• Fixed --no-plugins handling regression (#12789)
• Fixed regression in startup performance when many scripts are defined (#12832)
• Improved classmap dumping performance

[2.10.0-RC1] 2026-04-01

• Security: Added filter lists to block package versions where malware was detected on update or report it with audit (#12786)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Enforce allow-plugins even in non-interactive mode for very old pre-2.2 lock files (#12764)
• Added support for temporary --with constraints with wildcards in the package name for the update command (#12658)
• Added --strict-psr-autoloader flag to install and update commands (#12647)
• Added source-fallback config option to disable or enable source fallback on download failure (#12698)
• Added --require parameter to create-project to add new packages to the project as it gets installed (#12738)
• Optimized plugin autoloading by avoiding regenerating classmaps for every package per plugin (#12696)
• Optimized PoolOptimizer memory usage (#12783)
• Fixed update --bump-after-update to only bump packages that actually were updated (#12733)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)
• Fixed warning being shown when lock file is disabled (#12760)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)

[2.9.8] 2026-05-13

• Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)

... (truncated)

Commits

• 4120703 Release 2.10.1
• 5a9d151 Update changelog
• f0c0933 Bump api-surface-check
• a199d6a Verify backup signature on self-update --rollback (#12918)
• 22bd443 Fix one more path and remove a few baselined errors
• 7f7e62b Check for local changes when switching a package from source to dist (#12912)
• 9e10c87 Capture/show full output if selfupdate test fails
• fefcb84 Add missing throw
• 694c899 Fix unreliable network tests
• 5cc5e41 Update CVE link (#12910)
• Additional commits viewable in compare view

Updates google/protobuf from 4.33.5 to 4.33.6

Commits

• 84b008c 4.33.6 sync
• 1debe45 5.34.0 sync
• 3f6644d 5.34.0RC2 sync
• 6fd2d13 4.29.6 sync
• See full diff in compare view

Updates league/commonmark from 2.8.0 to 2.8.2

Release notes

Sourced from league/commonmark's releases.

2.8.2

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

• Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

Full Changelog: thephpleague/commonmark@2.8.1...2.8.2

2.8.1

What's Changed

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

• Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
• Fixed PHP 8.5 deprecation (#1107)

New Contributors

• @​Kocal made their first contribution in thephpleague/commonmark#1106
• @​freost made their first contribution in thephpleague/commonmark#1107

Full Changelog: thephpleague/commonmark@2.8.0...2.8.1

Changelog

Sourced from league/commonmark's changelog.

[2.8.2] - 2026-03-19

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

• Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

[2.8.1] - 2026-03-05

This is a security release to address an issue where DisallowedRawHtml can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.

Fixed

• Fixed DisallowedRawHtmlRenderer not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
• Fixed PHP 8.5 deprecation (#1107)

Commits

• 59fb075 Fix DomainFilteringAdapter hostname boundary bypass
• 74b4487 Document dangers of enabling an unsafe php.ini setting
• 84b1ca4 Almost forgot this entry
• bcf54f5 Merge commit from fork
• 7a68ed1 Prepare to release 2.8.1
• 5c0c4c8 Fix DisallowedRawHtml bypass via newline/tab in tag names
• f6e7443 Add regression test
• 0719b67 Merge pull request #1107 from freost/fix-php85-deprecation-error
• 63ff2e0 Fix PHP 8.5 deprecation
• 8608e9c Merge pull request #1106 from Kocal/patch-1
• Additional commits viewable in compare view

Updates robrichards/xmlseclibs from 3.1.4 to 3.1.5

Release notes

Sourced from robrichards/xmlseclibs's releases.

3.1.5

Validate AES-GCM Authentication Tag

Changelog

Sourced from robrichards/xmlseclibs's changelog.

xmlseclibs.php ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ??, ??? ????, 4.0.0 Security Improvements:

Features:

• Remove support for PHP < 8.0
• add support for RSA PSS (Julius Türich and joonlabs)
• use phpseclib for encrypting rsa-oaep and rsa-oaep-mgf1p (Julius Türich and joonlabs)

12, Dec 2026, 3.1.5 Security:

• Validate AES-GCM Authentication Tag (Sideni)

08, Dec 2025, 3.1.4 Security:

• fix canonicalization bypass error (d0ge)

20, Nov 2024, 3.1.3 Bug Fixes:

• remove loadKey check due to BC issues

20, Nov 2024, 3.1.2 Improvements:

• Add tab to list of whitespace values to remove from cert. refs #252
• loadKey should check return value for openssl_get_privatekey (sammarshallou)
• Switch to GitHub actions (SharkMachine)

05, Sep 2020, 3.1.1 Features:

• Support OAEP (iggyvolz)

Bug Fixes:

• Fix AES128 (iggyvolz)

Improvements:

• Fix tests for older PHP

22, Apr 2020, 3.1.0 Features:

• Support AES-GCM. Requires PHP 7.1. (François Kooman)

Improvements:

• Fix Travis tests for older PHP versions.
• Use DOMElement interface to fix some IDEs reporting documentation errors

Bug Fixes:

• FIX missing InclusiveNamespaces PrefixList from Java + Apache WSS4J. (njake)

... (truncated)

Commits

• 03062be Merge commit from fork
• See full diff in compare view

Updates symfony/cache from 7.4.5 to 7.4.13

Release notes

Sourced from symfony/cache's releases.

v7.4.13

Changelog (symfony/cache@v7.4.12...v7.4.13)

• bug #64330 Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@​signor-pedro)
• bug #64336 Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@​nicolas-grekas)

v7.4.12

Changelog (symfony/cache@v7.4.10...v7.4.12)

• security #cve-2026-45073 Validate the prefix given to AbstractAdapter::clear() (@​nicolas-grekas)

v7.4.10

Changelog (symfony/cache@v7.4.9...v7.4.10)

• bug #64122 Ensure compatibility with Relay extension 0.22.0 (@​nicolas-grekas)

v7.4.9

Changelog (symfony/cache@v7.4.8...v7.4.9)

• bug #64060 Normalize default_lifetime for pools wrapped by ChainAdapter (@​ostrolucky)
• bug #63964 Ensure internal state is cleared in TagAwareAdapter::reset() … (@​KevinMartinsDev)
• bug #63860 Fix Psr16Cache::getMultiple() returning wrapper values when using TTL (@​nicolas-grekas)

v7.4.8

Changelog (symfony/cache@v7.4.7...v7.4.8)

• bug #63818 Ensure compatibility with Relay extension 0.21.0 (@​lyrixx)
• bug #63747 Fix Psr16Cache::getMultiple() returning ValueWrapper with TagAwareAdapter (@​pcescon)
• bug #63736 Fix undefined array key when tag save fails in AbstractTagAwareAdapter (@​pcescon)
• bug #63655 Fix ChainAdapter ignoring item expiry when propagating to earlier adapters (@​guillaumeVDP)

v7.4.7

Changelog (symfony/cache@v7.4.6...v7.4.7)

• bug #63592 Add timeout and slot eviction to LockRegistry stampede prevention (@​nicolas-grekas)

v7.4.6

Changelog (symfony/cache@v7.4.5...v7.4.6)

• bug #63437 Wrap DoctrineDbalAdapter::doSave() in savepoint to prevent transaction poisoning (@​lacatoire)
• bug #63391 Align Redis sentinel auth handling across components (@​nicolas-grekas)
• bug #63324 Fix DSN auth not passed to Redis/RedisCluster/Relay in RedisTrait (@​ckrack)
• bug #63306 Revert "Fix DSN auth not passed to clusters in RedisTrait" (@​nicolas-grekas)
• bug #63272 Fix forwarding SSL settings to the redis sentinel (@​CientistaDaWeb)
• bug #63230 fix engine declaration on mysql pdo table creations (@​tandev)

Commits

• 4c09e18 Merge branch '6.4' into 7.4
• 5490a57 Merge branch '5.4' into 6.4
• bf58147 [Cache] skip tests for adapters that cannot clear by prefix
• f796e47 Ignore Doctrine DBAL deprecations that can't be worked around
• bf9d30f Merge branch '6.4' into 7.4
• 03472b6 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doCl...
• 8602405 Merge branch '5.4' into 6.4
• 4acd37c [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear()
• 902d621 Merge branch '6.4' into 7.4
• 8f9b022 Merge branch '5.4' into 6.4
• Additional commits viewable in compare view

Updates symfony/routing from 7.4.4 to 7.4.13

Release notes

Sourced from symfony/routing's releases.

v7.4.13

Changelog (symfony/routing@v7.4.12...v7.4.13)

• security #cve-2026-48784 Fix dot-segment encoding for chained "../" and "./" in generated URLs (@​nicolas-grekas)
• bug #64343 Harden __unserialize against __toString trampolines (@​nicolas-grekas)

v7.4.12

Changelog (symfony/routing@v7.4.9...v7.4.12)

• security #cve-2026-45065 Fix regex alternation anchoring in UrlGenerator requirement validation (@​alexandre-daubois)

v7.4.9

Changelog (symfony/routing@v7.4.6...v7.4.9)

• bug #63981 Honor the Request's method in UrlMatcher::matchRequest() (@​ousamabenyounes)

v7.4.8

Changelog (symfony/routing@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/routing@v7.4.5...v7.4.6)

• bug #54236 Fix exclude option being ignored for non-glob and PSR-4 resources (@​NeilPeyssard)
• bug #60662 assign attribute aliases to localized route if applicable (@​alcohol)

Commits

• 3a16217 Merge branch '6.4' into 7.4
• af04c79 Merge branch '5.4' into 6.4
• e6f3f03 Fix tests and merge resolution after merging 6.4 into 7.4
• 5156fe8 Merge branch '6.4' into 7.4
• be4ce34 [Routing][RateLimiter][Mime][Security] Harden __unserialize against __toStrin...
• f4ca0c5 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs
• 3b04a5e Merge branch '6.4' into 7.4
• 0cd0d2f Merge branch '5.4' into 6.4
• 287771d [7.4] Remove usages of named arguments in tests
• 453501c Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Updates symfony/yaml from 7.4.1 to 7.4.13

Release notes

Sourced from symfony/yaml's releases.

v7.4.13

Changelog (symfony/yaml@v7.4.12...v7.4.13)

• bug #64316 Allow trailing newlines after the end-of-document marker (@​nicolas-grekas)

v7.4.12

Changelog (symfony/yaml@v7.4.11...v7.4.12)

• security #cve-2026-45305 Harden the Parser::cleanup() regexes against catastrophic backtracking (@​nicolas-grekas)
• security #cve-2026-45304 Bound collection-alias resolution in the parser (@​nicolas-grekas)
• security #cve-2026-45133 Bound recursion depth in the parser (@​nicolas-grekas)

v7.4.11

Changelog (symfony/yaml@v7.4.10...v7.4.11)

• bug #64196 Reject non-stringables when using "!!binary" (@​nicolas-grekas)

v7.4.10

Changelog (symfony/yaml@v7.4.6...v7.4.10)

• bug #64119 fix flow collection drops &anchor and !!str &anchor items (@​ousamabenyounes)

v7.4.8

Changelog (symfony/yaml@v7.4.7...v7.4.8)

• no significant changes

v7.4.6

Changelog (symfony/yaml@v7.4.5...v7.4.6)

• bug #57292 Fix parsing nested mappings in sequences (@​HypeMC)

Commits

• a7ec3b1 Merge branch '6.4' into 7.4
• e8fdf34 CS fix
• 4b5658c Merge branch '6.4' into 7.4
• 69b7344 Merge branch '5.4' into 6.4
• ae0bbb4 [Yaml] Allow trailing newlines after the end-of-document marker
• 8b6952b Merge branch '6.4' into 7.4
• 68dcd1f Merge branch '5.4' into 6.4
• b0b2705 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking
• 5a351ff [Yaml] Bound collection-alias resolution in the parser
• e2eb64a Merge branch '6.4' into 7.4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.