News item

Security release!

Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b958)
Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67)
Security: Fixed perforce argument escaping (3773f77)
Security: Fixed handling of zip bombs when extracting archives (de5f7e3)
Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding conversion, reported by Splitline Huang (3130a74, 04a63b3)
Fixed PSR violations for classes not matching the namespace of a rule being hidden, this may lead to new violations being shown (#11957)
Fixed UX when a plugin is still in vendor dir but is not required nor allowed anymore after changing branches (#12000)
Fixed new platform requirements from composer.json not being checked if the lock file is outdated (#12001)
Fixed ability for config command to remove autoload keys (#11967)
Fixed empty type support in init command (#11999)
Fixed git clone errors when safe.bareRepository is set to strict in the git config (#11969)
Fixed regression showing network errors on PHP <8.1 (#11974)
Fixed some color bleed from a few warnings (#11972)