version bumps

[shelane]

Continual check of version updates. Open until ready to tag new release.

Summary by CodeRabbit

• Chores
  • Updated development tool versions across supported PHP images:
    • Composer 2.8.12 → 2.9.2
    • Acquia CLI 2.49.0 → 2.54.0
    • Terminus 4.1.0 → 4.1.1 (applies to PHP 8.2+ images)
    • yq 4.48.1 → 4.50.1

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumped tool version ENV literals in PHP 8.1–8.4 Dockerfiles: COMPOSER2_VERSION → 2.9.2, ACQUIA_CLI_VERSION → 2.54.0, YQ_VERSION → 4.50.1; also TERMINUS_VERSION → 4.1.1 in 8.2–8.4. No control-flow or build-step changes. (28 words)

Changes

Cohort / File(s)	Summary
PHP 8.1 8.1/Dockerfile	Updated ENV: COMPOSER2_VERSION 2.8.12 → 2.9.2; ACQUIA_CLI_VERSION 2.49.0 → 2.54.0; YQ_VERSION 4.48.1 → 4.50.1
PHP 8.2–8.4 8.2/Dockerfile, 8.3/Dockerfile, 8.4/Dockerfile	Updated ENV: COMPOSER2_VERSION 2.8.12 → 2.9.2; ACQUIA_CLI_VERSION 2.49.0 → 2.54.0; TERMINUS_VERSION 4.1.0 → 4.1.1; YQ_VERSION 4.48.1 → 4.50.1

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Homogeneous version bumps across four Dockerfiles.
• Pay extra attention to:
  • Any nearby checksum or URL lines that may need updating.
  • Duplicate ENV blocks in 8.4/Dockerfile where the same variables appear.

Possibly related PRs

• version bumps #338 — Prior PR updating the same Dockerfile ENV tool-version variables across 8.x images.
• Version bumps #339 — Related PR also bumping yq and other tool versions in 8.x Dockerfiles.

Suggested reviewers

• lmakarov

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'version bumps' is directly related to the main change—updating multiple tool versions across Dockerfiles (Composer, Acquia CLI, Terminus, YQ).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/version-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e5cbb47 and e30908f.

📒 Files selected for processing (4)

• 8.1/Dockerfile (1 hunks)
• 8.2/Dockerfile (1 hunks)
• 8.3/Dockerfile (1 hunks)
• 8.4/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• 8.1/Dockerfile
• 8.3/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build: 8.4/arm64
• GitHub Check: Build: 8.3/amd64
• GitHub Check: Build: 8.4/amd64
• GitHub Check: Build: 8.1/arm64
• GitHub Check: Build: 8.3/arm64
• GitHub Check: Build: 8.2/amd64
• GitHub Check: Build: 8.2/arm64
• GitHub Check: Build: 8.1/amd64

🔇 Additional comments (2)

8.4/Dockerfile (1)

161-161: Updated versions are all valid and available.

Composer 2.9 introduces new security features, and the other version bumps (Acquia CLI 2.51.4, Terminus 4.1.1, and yq 4.48.2) are confirmed to exist on their respective repositories. These appear to be standard maintenance updates.

Also applies to: 166-169

8.2/Dockerfile (1)

161-161: Version updates match 8.4/Dockerfile and are current.

The same four version bumps are applied here. Composer 2.9 introduces security improvements that should be beneficial for this image.

Also applies to: 166-169

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2c3abc and 239c390.

📒 Files selected for processing (4)

• 8.1/Dockerfile (1 hunks)
• 8.2/Dockerfile (1 hunks)
• 8.3/Dockerfile (1 hunks)
• 8.4/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• 8.2/Dockerfile
• 8.1/Dockerfile
• 8.3/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build: 8.2/amd64
• GitHub Check: Build: 8.1/arm64
• GitHub Check: Build: 8.2/arm64

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Composer 2.9.2 release GitHub security advisories

💡 Result:

Composer 2.9.2 (released 2025‑11‑19) release notes: adds audit/security-blocking features (e.g. --no-security-blocking, audit.ignore behavior fixes). [1][2]

Relevant GitHub security advisory: GHSA‑v9qv‑c7wm‑wgmf (CVE‑2024‑35242) — command‑injection via malicious git/hg branch names affecting older 2.x versions; patches were released in 2.2.24 and 2.7.7. This advisory is distinct from the 2.9.2 feature/fix release (2.9.2 improves audit/security blocking behavior). [3][1]

Sources:

• Composer GitHub releases (2.9.2). [1]
• Composer changelog (2.9.2). [2]
• GitHub/OSV advisory GHSA‑v9qv‑c7wm‑wgmf / CVE‑2024‑35242. [3]

References:
[1] https://github.com/composer/composer/releases/tag/2.9.2
[2] https://getcomposer.org/changelog/2.9.2
[3] https://osv.dev/vulnerability/GHSA-v9qv-c7wm-wgmf

---

🌐 Web query:

Acquia CLI 2.54.0 release GitHub

💡 Result:

I couldn't find a GitHub release for Acquia CLI version 2.54.0. The Acquia CLI repository and Acquia's CLI release index (which lists versions through 2.51.x) are here:

• Acquia CLI repo on GitHub: https://github.com/acquia/cli. [1]
• Acquia CLI release index/documentation (shows releases up to 2.51.x). [2]

Do you want me to watch the GitHub releases page and notify you if 2.54.0 appears, or search again with different terms?

---

🌐 Web query:

Terminus 4.1.1 pantheon-systems release

💡 Result:

Terminus 4.1.1 was released November 6, 2025. It’s a patch release that adds auto-detect for URLs in DB clone search/replace and fixes env:info drush_version output. To upgrade via Homebrew: brew upgrade pantheon-systems/external/terminus. Standalone PHAR download is available at the 4.1.1 release (example curl shown in the install docs). [1][2]

Sources:

• Pantheon release notes (Terminus 4.1.1 — Nov 6, 2025). [1]
• Pantheon Terminus install/update docs (PHAR/Homebrew commands; example 4.1.1 download). [2]

---

🌐 Web query:

yq 4.50.1 mikefarah release security

💡 Result:

Yes — yq v4.50.1 (mikefarah) is available. Chocolatey shows the v4.50.1 package published/approved 14 Dec 2025 and includes the official release binaries/checksums. I found no public security advisories specifically calling out a vulnerability fixed in 4.50.1; the release appears to add features (HCL support reported in community posts). For full release notes and any security statements, check the official GitHub releases page for v4.50.1 and the repo. [1][2]

Sources:

• Chocolatey package page for yq v4.50.1 (package details, checksums, approved date). [1]
• mikefarah/yq GitHub repository (official project and releases page). [2]

Would you like me to open the GitHub release page and list the exact changelog entries?

---

Acquia CLI version 2.54.0 does not exist; verify the intended version.

Verification found that Composer 2.9.2, Terminus 4.1.1, and yq 4.50.1 are all valid releases with no known security issues. However, Acquia CLI 2.54.0 does not exist on GitHub—the latest available version is 2.51.x. This will cause the Docker build to fail. Confirm the intended Acquia CLI version and update the Dockerfile accordingly.

🤖 Prompt for AI Agents

In 8.4/Dockerfile around line 161, the Acquia CLI version is set to 2.54.0 which
does not exist and will break the Docker build; update the Acquia CLI version
variable to a valid release (for example the latest 2.51.x) or change it to a
documented tag/variable that matches a release on GitHub, and verify the install
command (URL or package name) references that exact version so the build can
succeed.