Composer, the de-facto standard way to install PHP packages, has published a new release that includes a major security update. Jordi Boggiano made this comment about the release on Twitter:

After triaging/merging/fixing almost 200 issues in the last couple days, Composer v1.6.4 is out! ???? It contains a security fix and is therefore a much recommended update for all.

Other changes include fixes for:

• a regression in version guessing of path repositories
• the updating of package URLs for GitLab
• init command not respecting the current php version when selecting package versions
• exclude-from-classmap symlink handling

You can grab the latest version from the Composer site or you can use it's own self-update command.