Update composer/composer requirement from ^2.8 to ^2.9

[dependabot]

Updates the requirements on composer/composer to permit the latest version.

Release notes

Sourced from composer/composer's releases.

2.9.1

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

Full Changelog: composer/composer@2.9.0...2.9.1

Changelog

Sourced from composer/composer's changelog.

[2.9.1] 2025-11-13

• Fixed regression in phpunit binary proxies (#12601)
• Fixed script handler autoloading issues (#12606)
• Fixed null call of Command::setDescription in some cases (#12605)
• Fixed --prefer-lowest builds sometimes failing due to the filtering of versions with known vulnerabilities (#12603)

[2.9.0] 2025-11-13

• Fixed a couple minor issues with --bump-after-update (#12598)
• Various docs fixes

[2.9.0-RC1] 2025-11-07

• Bumped composer-plugin-api to 2.9.0
• Added automatic blocking of packages with security advisories from updates (#11956)
• Added audit > block-insecure config setting to control blocking of updates to package versions with known security advisories (defaults to true) (#11956)
• Added audit > block-abandoned config setting to control blocking of updates to abandoned packages (defaults to false) (#11956)
• Added audit > ignore-abandoned config setting to ignore some packages (#12572)
• Added --ignore-unreachable flag to audit command to allow running audit in environments that do not have access to some repos (#12470)
• Added repository command to add, remove, or update repositories more easily (#12388)
• Updated repositories structure to contain a name attribute and being stored preferably as list instead of object (#12388)
• Added support for --minimal-changes full updates where only packages that need changing to satisfy modified constraints are updated (#12349)
• Added update-with-minimal-changes config setting (and COMPOSER_MINIMAL_CHANGES env var) to default to minimal changes (#12545)
• Added support for forgejo / codeberg.org repositories (#12307)
• Added automatic recovery of simple lock file conflicts when running update with a file that has a content-hash conflict (#11517)
• Added support for HTTP/3 if libcurl supports it (#12363)
• Added support for custom header authentication (#12372)
• Added support for client TLS certificates (#12406)
• Added --locked flag to licenses command to show data from the lock file instead of installed packages (#12595)
• Added SHELL_VERBOSITY env var to control verbosity of shell scripts (#12473)
• Added support for running init without interaction (#12546)
• Added COMPOSER_PREFER_DEV_OVER_PRERELEASE env var for use in development together with --prefer-lowest builds (#12585)
• Added support for Windows Sudo to elevate during self-update (#12543)
• Improved performance of script handlers by reducing ad-hoc autoloader creation (#12456)
• Fixed display of dist refs for dev versions when source is missing (#12562)
• Fixed issue not showing abandoned warnings when a package is abandoned without new release (#12423)
• Fixed compatibility issues with Symfony 7
• Fixed issues with PHP preloading being hard to debug (#12528)

[2.8.12] 2025-09-19

• Fixed json schema issues with version validation (#12512)
• Fixed PHP 8.5 deprecation warnings (#12513)
• Fixed support for Bitbucket API tokens (#12515)
• Fixed handling of spaces in paths when using binaries (#12524)
• Fixed config --global path resolution issue (#12537)
• Reduced peak memory usage while loading packages (#12516)
• Dropped react/promise 2.x support

... (truncated)

Commits

• 35cb6d4 Release 2.9.1
• da7ebf7 Update changelog
• 4e92161 Fix null call of Command::setDescription, fixes #12605
• 47e5184 Fix script autoloading regressions (#12606)
• 80503cb Run security advisory filter first to avoid inconsistent states due to the op...
• 5ad6a46 Reverting 86b4aa1 to fix path resolution for vendor/bin proxies (#12601)
• 6032381 Reverting release version changes
• 5b236f4 Release 2.9.0
• f4f29b7 Update changelog
• b71c1e1 Repo command docs: Clarify usage, add example (#12599)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)