chore(deps): bump composer/composer from 2.9.5 to 2.9.7

[dependabot]

Bumps composer/composer from 2.9.5 to 2.9.7.

Release notes

Sourced from composer/composer's releases.

2.9.7

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

Full Changelog: composer/composer@2.9.6...2.9.7

2.9.6

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Full Changelog: composer/composer@2.9.5...2.9.6

Changelog

Sourced from composer/composer's changelog.

[2.9.7] 2026-04-14

• Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802)

[2.9.6] 2026-04-14

• Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)
• Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)
• Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d)
• Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e)
• Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088)
• Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764)
• Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758)
• Fixed GitHub API authentication errors not being visible to the user (#12737)
• Fixed some platform package parsing failing when Composer runs in web SAPIs (#12735)
• Fixed error reporting for clarity when a constraint cannot be parsed (#12743)

Commits

• 82a2fbd Release 2.9.7
• 02265b2 Update changelog
• ca0612e Fixes custom script command aliases regression when a script is called a subs...
• bd695ee Reverting release version changes
• 9afc32c Release 2.9.6
• e00073c Fix some perforce type issues
• 4fcc13d Convert perforce util to use array process args to avoid injections
• fd82721 Update changelog
• 15f2541 Fix --no-plugins handling regression in #12758, fixes #12789
• 4f02616 Merge commit from fork
• Additional commits viewable in compare view

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.