Hi,

Composer recently released their first stable version of 1.0.0, which among other things mandates usage of secure connections and validates certificates[1]. I'd like for 1.27 to require 1.0.0 as a minimum version people must use when fetching installing MediaWiki dependencies (people can always use mediawiki/vendor instead of composer though).

As a side-effect, this would let us get rid of some old back-compat code that is currently triggering a deprecation notice on every composer install command[2].

Thoughts?

[1] https://phabricator.wikimedia.org/T119272#2125086 [2] https://phabricator.wikimedia.org/T119590#2234183

-- Legoktm