From 431d5344856d0754322b73919fadbd03e7ad7012 Mon Sep 17 00:00:00 2001
From: Yash Rode <57207-yash.rode@users.noreply.drupalcode.org>
Date: Tue, 28 Feb 2023 12:56:07 +0000
Subject: [PATCH] Issue #3343889 by yash.rode, Wim Leers, phenaproxima, tedbow:
 Drop support for end-of-life versions of Composer

---
 package_manager/src/ComposerInspector.php            | 12 +++++++++++-
 .../tests/src/Kernel/ComposerInspectorTest.php       |  7 +++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/package_manager/src/ComposerInspector.php b/package_manager/src/ComposerInspector.php
index f772fcaf3e..f70a9b3dc3 100644
--- a/package_manager/src/ComposerInspector.php
+++ b/package_manager/src/ComposerInspector.php
@@ -42,9 +42,19 @@ class ComposerInspector {
   /**
    * A semantic version constraint for the supported version(s) of Composer.
    *
+   * Only versions supported by Composer are supported: the LTS and the latest
+   * minor version. Those are currently 2.2 and 2.5.
+   *
+   * @see https://endoflife.date/composer
+   *
+   * Note that Composer <= 2.2.11 is not supported anymore due to a security
+   * vulnerability.
+   *
+   * @see https://blog.packagist.com/cve-2022-24828-composer-command-injection-vulnerability/
+   *
    * @var string
    */
-  final public const SUPPORTED_VERSION = '~2.2.12 || ^2.3.5';
+  final public const SUPPORTED_VERSION = '~2.2.12 || ^2.5';
 
   /**
    * Constructs a ComposerInspector object.
diff --git a/package_manager/tests/src/Kernel/ComposerInspectorTest.php b/package_manager/tests/src/Kernel/ComposerInspectorTest.php
index a9c3cff208..6c5e99929a 100644
--- a/package_manager/tests/src/Kernel/ComposerInspectorTest.php
+++ b/package_manager/tests/src/Kernel/ComposerInspectorTest.php
@@ -183,9 +183,12 @@ class ComposerInspectorTest extends PackageManagerKernelTestBase {
    *
    * @testWith ["2.2.12", null]
    *   ["2.2.13", null]
-   *   ["2.3.6", null]
-   *   ["2.4.1", null]
+   *   ["2.5.0", null]
+   *   ["2.5.11", null]
    *   ["2.2.11", "<default>"]
+   *   ["2.2.0-dev", "<default>"]
+   *   ["2.3.6", "<default>"]
+   *   ["2.4.1", "<default>"]
    *   ["2.3.4", "<default>"]
    *   ["2.1.6", "<default>"]
    *   ["1.10.22", "<default>"]
-- 
GitLab