Do we need to drop composer 2.8 support? #40449
Description
The system requirements says that composer 2.8 is supported on many versions of Magento, the 2.4.9 / 2.4.8 and 2.4.7 series all "support" it.
But the 2.8 series is no longer in security support
And the composer 2.8 series has a security advisory now which suggests it should not be used
$ composer require composer/composer:">=2.8.0,<2.9.0"
./composer.json has been updated
Running composer update composer/composer
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Root composer.json requires composer/composer >=2.8.0,<2.9.0, found composer/composer[2.8.0, ..., 2.8.12] but these were not loaded, because they are affected by security advisories ("PKSA-1gck-s111-yq7g"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
Installation failed, reverting ./composer.json to its original content.When trying to deploy on adobe cloud we set in the .magento.app.yaml the following, and it will always fail the deployment
dependencies:
php:
composer/composer: '2.8.12'
Given that the advisory https://packagist.org/security-advisories/PKSA-1gck-s111-yq7g is tagged against composer/composer it seems like support for the 2.8 series is no longer valid?