diff --git a/Bugfix-for-CVE-2024-35241.patch b/Bugfix-for-CVE-2024-35241.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8f36af44e33edffca5b830f2a0e26de0cbb05547
--- /dev/null
+++ b/Bugfix-for-CVE-2024-35241.patch
@@ -0,0 +1,28 @@
+From 7a3ed0f0520d5129c67556f883f4f7d03eff1ca9 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Thu, 1 Aug 2024 10:37:47 +0800
+Subject: [PATCH] Bugfix for CVE-2024-35241
+
+---
+ src/Composer/Downloader/GitDownloader.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Composer/Downloader/GitDownloader.php b/src/Composer/Downloader/GitDownloader.php
+index 0840219..b29782d 100644
+--- a/src/Composer/Downloader/GitDownloader.php
++++ b/src/Composer/Downloader/GitDownloader.php
+@@ -294,9 +294,9 @@ public function getUnpushedChanges(PackageInterface $package, string $path): ?st
+                     $unpushedChanges = null;
+                 }
+                 foreach ($remoteBranches as $remoteBranch) {
+-                    $command = sprintf('git diff --name-status %s...%s --', $remoteBranch, $branch);
++                    $command = ['git', 'diff', '--name-status', $remoteBranch.'...'.$branch, '--'];
+                     if (0 !== $this->process->execute($command, $output, $path)) {
+-                        throw new \RuntimeException('Failed to execute ' . $command . "\n\n" . $this->process->getErrorOutput());
++                        throw new \RuntimeException('Failed to execute ' . implode(' ', $command) . "\n\n" . $this->process->getErrorOutput());
+                     }
+ 
+                     $output = trim($output);
+-- 
+2.27.0
+
diff --git a/Bugfix-for-CVE-2024-35242.patch b/Bugfix-for-CVE-2024-35242.patch
new file mode 100644
index 0000000000000000000000000000000000000000..71356f5c8f6d6cd09a5ddc92773abcd1614d121d
--- /dev/null
+++ b/Bugfix-for-CVE-2024-35242.patch
@@ -0,0 +1,94 @@
+From b7961dc0931a74cda7d92ee40399bf9bcc0e5d71 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Wed, 31 Jul 2024 16:17:06 +0800
+Subject: [PATCH] Bugfix for CVE-2024-35242
+
+---
+ src/Composer/Package/Version/VersionGuesser.php   | 15 ++++++++-------
+ .../Test/Package/Version/VersionGuesserTest.php   |  6 +++---
+ 2 files changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/src/Composer/Package/Version/VersionGuesser.php b/src/Composer/Package/Version/VersionGuesser.php
+index 2b2b197..72fc799 100644
+--- a/src/Composer/Package/Version/VersionGuesser.php
++++ b/src/Composer/Package/Version/VersionGuesser.php
+@@ -173,7 +173,7 @@ private function guessGitVersion(array $packageConfig, string $path): array
+                 $featurePrettyVersion = $prettyVersion;
+ 
+                 // try to find the best (nearest) version branch to assume this feature's version
+-                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'git rev-list %candidate%..%branch%', $path);
++                $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['git', 'rev-list', '%candidate%..%branch%'], $path);
+                 $version = $result['version'];
+                 $prettyVersion = $result['pretty_version'];
+             }
+@@ -248,7 +248,7 @@ private function guessHgVersion(array $packageConfig, string $path): ?array
+             $branches = array_map('strval', array_keys($driver->getBranches()));
+ 
+             // try to find the best (nearest) version branch to assume this feature's version
+-            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, 'hg log -r "not ancestors(\'%candidate%\') and ancestors(\'%branch%\')" --template "{node}\\n"', $path);
++            $result = $this->guessFeatureVersion($packageConfig, $version, $branches, ['hg', 'log', '-r', 'not ancestors(\'%candidate%\') and ancestors(\'%branch%\')', '--template', '"{node}\\n"'], $path);
+             $result['commit'] = '';
+             $result['feature_version'] = $version;
+             $result['feature_pretty_version'] = $version;
+@@ -261,13 +261,12 @@ private function guessHgVersion(array $packageConfig, string $path): ?array
+ 
+     /**
+      * @param array<string, mixed>     $packageConfig
+-     * @param string[]                 $branches
+-     *
+-     * @phpstan-param non-empty-string $scmCmdline
++     * @param list<string>             $branches
++     * @param list<string>             $scmCmdline
+      *
+      * @return array{version: string|null, pretty_version: string|null}
+      */
+-    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, string $scmCmdline, string $path): array
++    private function guessFeatureVersion(array $packageConfig, ?string $version, array $branches, array $scmCmdline, string $path): array
+     {
+         $prettyVersion = $version;
+ 
+@@ -309,7 +308,9 @@ private function guessFeatureVersion(array $packageConfig, ?string $version, arr
+                         continue;
+                     }
+ 
+-                    $cmdLine = str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $scmCmdline);
++                    $cmdLine = array_map(static function (string $component) use ($candidate, $branch) {
++                        return str_replace(['%candidate%', '%branch%'], [$candidate, $branch], $component);
++                    }, $scmCmdline);
+                     $promises[] = $this->process->executeAsync($cmdLine, $path)->then(function (Process $process) use (&$length, &$version, &$prettyVersion, $candidateVersion, &$promises): void {
+                         if (!$process->isSuccessful()) {
+                             return;
+diff --git a/tests/Composer/Test/Package/Version/VersionGuesserTest.php b/tests/Composer/Test/Package/Version/VersionGuesserTest.php
+index 2e59afe..a55244a 100644
+--- a/tests/Composer/Test/Package/Version/VersionGuesserTest.php
++++ b/tests/Composer/Test/Package/Version/VersionGuesserTest.php
+@@ -117,7 +117,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
+                 'stdout' => "  arbitrary $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
+             ],
+             [
+-                'cmd' => 'git rev-list arbitrary..feature',
++                'cmd' => ['git', 'rev-list', 'arbitrary..feature'],
+                 'stdout' => "$anotherCommitHash\n",
+             ],
+         ], true);
+@@ -147,7 +147,7 @@ public function testGuessVersionReadsAndRespectsNonFeatureBranchesConfigurationF
+                 'stdout' => "  latest-testing $commitHash Commit message\n* feature $anotherCommitHash Another message\n",
+             ],
+             [
+-                'cmd' => 'git rev-list latest-testing..feature',
++                'cmd' => ['git', 'rev-list', 'latest-testing..feature'],
+                 'stdout' => "$anotherCommitHash\n",
+             ],
+         ], true);
+@@ -352,7 +352,7 @@ public function testRemoteBranchesAreSelected(): void
+                         "remotes/origin/1.5 03a15d220da53c52eddd5f32ffca64a7b3801bea Commit message\n",
+             ],
+             [
+-                'cmd' => 'git rev-list remotes/origin/1.5..feature-branch',
++                'cmd' => ['git', 'rev-list', 'remotes/origin/1.5..feature-branch'],
+                 'stdout' => "\n",
+             ],
+         ], true);
+-- 
+2.27.0
+
diff --git a/composer-2.5.5-c7cffaa.tgz b/composer-2.5.5-c7cffaa.tgz
deleted file mode 100644
index b0950f70d46bdb5f8e59c173e201df41b2e826e9..0000000000000000000000000000000000000000
Binary files a/composer-2.5.5-c7cffaa.tgz and /dev/null differ
diff --git a/composer-2.7.1-aaf6ed5.tgz b/composer-2.7.1-aaf6ed5.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..1eb65e93cb0356d8e38f21ffcc2de87ecbfecb06
Binary files /dev/null and b/composer-2.7.1-aaf6ed5.tgz differ
diff --git a/composer-bash-completion b/composer-bash-completion
index c7e5ec9444b3ed03563a796d453fbd91426b28ea..d9af6f65221ce3d48ecb2c2b0e195eb1956e4a71 100644
--- a/composer-bash-completion
+++ b/composer-bash-completion
@@ -25,7 +25,7 @@ _sf_composer() {
     local cur prev words cword
     _get_comp_words_by_ref -n := cur prev words cword
 
-    local completecmd=("$sf_cmd" "_complete" "--no-interaction" "-sbash" "-c$cword" "-S2.5.5")
+    local completecmd=("$sf_cmd" "_complete" "--no-interaction" "-sbash" "-c$cword" "-S2.7.1")
     for w in ${words[@]}; do
         w=$(printf -- '%b' "$w")
         # remove quotes from typed values
diff --git a/composer-rpm.patch b/composer-rpm.patch
index 85536c96e1da318ec245d3c5e461c88dc41fd451..162dcddaeae6fd96cb2d891d689c5a79e5aa45e5 100644
--- a/composer-rpm.patch
+++ b/composer-rpm.patch
@@ -1,6 +1,6 @@
 diff -up ./bin/composer.rpm ./bin/composer
---- ./bin/composer.rpm	2023-03-21 15:42:18.000000000 +0100
-+++ ./bin/composer	2023-03-21 15:53:50.082632518 +0100
+--- ./bin/composer.rpm	2023-09-01 11:05:16.000000000 +0200
++++ ./bin/composer	2023-09-01 11:05:28.156309389 +0200
 @@ -11,7 +11,7 @@ if (PHP_VERSION_ID < 70205) {
  }
  
@@ -11,9 +11,9 @@ diff -up ./bin/composer.rpm ./bin/composer
  use Composer\Console\Application;
  use Composer\XdebugHandler\XdebugHandler;
 diff -up ./src/Composer/Autoload/AutoloadGenerator.php.rpm ./src/Composer/Autoload/AutoloadGenerator.php
---- ./src/Composer/Autoload/AutoloadGenerator.php.rpm	2023-03-21 15:42:18.000000000 +0100
-+++ ./src/Composer/Autoload/AutoloadGenerator.php	2023-03-21 15:53:50.082632518 +0100
-@@ -431,7 +431,7 @@ EOF;
+--- ./src/Composer/Autoload/AutoloadGenerator.php.rpm	2023-09-01 11:05:16.000000000 +0200
++++ ./src/Composer/Autoload/AutoloadGenerator.php	2023-09-01 11:05:28.156309389 +0200
+@@ -448,7 +448,7 @@ EOF;
          $filesystem->filePutContentsIfModified($targetDir.'/autoload_real.php', $this->getAutoloadRealFile(true, (bool) $includePathFileContents, $targetDirLoader, (bool) $includeFilesFileContents, $vendorPathCode, $appBaseDirCode, $suffix, $useGlobalIncludePath, $prependAutoloader, $checkPlatform));
  
          $filesystem->safeCopy(__DIR__.'/ClassLoader.php', $targetDir.'/ClassLoader.php');
@@ -23,8 +23,8 @@ diff -up ./src/Composer/Autoload/AutoloadGenerator.php.rpm ./src/Composer/Autolo
          if ($this->runScripts) {
              $this->eventDispatcher->dispatchScript(ScriptEvents::POST_AUTOLOAD_DUMP, $this->devMode, [], [
 diff -up ./src/Composer/Compiler.php.rpm ./src/Composer/Compiler.php
---- ./src/Composer/Compiler.php.rpm	2023-03-21 15:42:18.000000000 +0100
-+++ ./src/Composer/Compiler.php	2023-03-21 15:53:50.082632518 +0100
+--- ./src/Composer/Compiler.php.rpm	2023-09-01 11:05:16.000000000 +0200
++++ ./src/Composer/Compiler.php	2023-09-01 11:05:28.156309389 +0200
 @@ -105,7 +105,7 @@ class Compiler
          // Add Composer resources
          $finder = new Finder();
@@ -35,8 +35,8 @@ diff -up ./src/Composer/Compiler.php.rpm ./src/Composer/Compiler.php
          ;
          foreach ($finder as $file) {
 diff -up ./src/Composer/InstalledVersions.php.rpm ./src/Composer/InstalledVersions.php
---- ./src/Composer/InstalledVersions.php.rpm	2023-03-21 15:42:18.000000000 +0100
-+++ ./src/Composer/InstalledVersions.php	2023-03-21 15:55:07.748460545 +0100
+--- ./src/Composer/InstalledVersions.php.rpm	2023-09-01 11:05:16.000000000 +0200
++++ ./src/Composer/InstalledVersions.php	2023-09-01 11:05:28.156309389 +0200
 @@ -266,7 +266,7 @@ class InstalledVersions
          if (null === self::$installed) {
              // only require the installed.php file if this file is loaded from its dumped location,
@@ -56,8 +56,8 @@ diff -up ./src/Composer/InstalledVersions.php.rpm ./src/Composer/InstalledVersio
                  $required = require __DIR__ . '/installed.php';
                  self::$installed = $required;
 diff -up ./src/Composer/Json/JsonFile.php.rpm ./src/Composer/Json/JsonFile.php
---- ./src/Composer/Json/JsonFile.php.rpm	2023-03-21 15:42:18.000000000 +0100
-+++ ./src/Composer/Json/JsonFile.php	2023-03-21 15:53:50.082632518 +0100
+--- ./src/Composer/Json/JsonFile.php.rpm	2023-09-01 11:05:16.000000000 +0200
++++ ./src/Composer/Json/JsonFile.php	2023-09-01 11:06:16.767233012 +0200
 @@ -40,7 +40,7 @@ class JsonFile
      /** @deprecated Use \JSON_UNESCAPED_UNICODE */
      public const JSON_UNESCAPED_UNICODE = 256;
@@ -65,9 +65,9 @@ diff -up ./src/Composer/Json/JsonFile.php.rpm ./src/Composer/Json/JsonFile.php
 -    public const COMPOSER_SCHEMA_PATH = __DIR__ . '/../../../res/composer-schema.json';
 +    public const COMPOSER_SCHEMA_PATH = '/usr/share/composer/res/composer-schema.json';
  
-     /** @var string */
-     private $path;
-@@ -223,7 +223,7 @@ class JsonFile
+     public const INDENT_DEFAULT = '    ';
+ 
+@@ -229,7 +229,7 @@ class JsonFile
          $isComposerSchemaFile = false;
          if (null === $schemaFile) {
              $isComposerSchemaFile = true;
@@ -77,8 +77,8 @@ diff -up ./src/Composer/Json/JsonFile.php.rpm ./src/Composer/Json/JsonFile.php
  
          // Prepend with file:// only when not using a special schema already (e.g. in the phar)
 diff -up ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php.rpm ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php
---- ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php.rpm	2023-01-11 09:27:00.000000000 +0100
-+++ ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php	2023-03-21 15:53:50.083632516 +0100
+--- ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php.rpm	2023-08-30 11:31:38.000000000 +0200
++++ ./src/Composer/vendor/composer/ca-bundle/src/CaBundle.php	2023-09-01 11:05:28.156309389 +0200
 @@ -125,7 +125,7 @@ class CaBundle
       */
      public static function getBundledCaBundlePath()
diff --git a/composer.spec b/composer.spec
index e364a3fe1d0a7e553d52045680e90456210d13ab..8aed019d25fcc239e3117a6e0172f5b82ac0b0ea 100644
--- a/composer.spec
+++ b/composer.spec
@@ -1,15 +1,15 @@
-%define anolis_release 1
+%define anolis_release 3
 %undefine __brp_mangle_shebangs
 
-%global gh_commit    c7cffaad16a60636a776017eac5bd8cd0095c32f
+%global gh_commit    aaf6ed5ccd27c23f79a545e351b4d7842a99d0bc
 %global gh_short     %(c=%{gh_commit}; echo ${c:0:7})
 %global gh_branch    2.0-dev
 %global gh_owner     composer
 %global gh_project   composer
-%global api_version  2.3.0
+%global api_version  2.6.0
 %global run_version  2.2.2
 
-%global upstream_version 2.5.5
+%global upstream_version 2.7.1
 
 %global _phpunit       %{_bindir}/phpunit9
 %global bashcompdir    %(pkg-config --variable=completionsdir bash-completion 2>/dev/null)
@@ -39,6 +39,16 @@ Patch1:         %{name}-noxdg.patch
 # Use Aliyun mirror by default
 Patch10:        composer-add-aliyun-repository.patch
 
+# CVE-2024-35242
+# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-35242
+# Upstream fix: https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
+Patch11: Bugfix-for-CVE-2024-35242.patch
+
+# CVE-2024-35241
+# Tracking bug: https://security-tracker.debian.org/tracker/CVE-2024-35241
+# Upstream fix: https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
+Patch12: Bugfix-for-CVE-2024-35241.patch
+
 BuildArch:      noarch
 # platform set in makesrc.sh
 BuildRequires:  php(language) >= 7.2.5
@@ -220,6 +230,15 @@ install -Dpm 755 bin/%{name} %{buildroot}%{_bindir}/%{name}
 %doc composer.json
 
 %changelog
+* Thu Aug 01 2024 lidongyue <dongyue@nfschina.com> 2.7.1-3
+- Fix CVE-2024-35241
+
+* Wed Jul 31 2024 lidongyue <dongyue@nfschina.com> 2.7.1-2
+- Fix CVE-2024-35242
+
+* Mon May 6 2024 yangxinyu <yangxinyu@nfschina.com> - 2.7.1-1
+- New version 2.7.1
+
 * Thu Mar 30 2023 Funda Wang <fundawang@yeah.net> - 2.5.5-1
 - New version 2.5.5