* Security: Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders (GHSA-h5h8-pc6h-jvvx / CVE-2021-29472)
* Fixed install step at the end of the init command to take new dependencies into account correctly
* Fixed `update --lock` listing updates which were not really happening (#9812)
* Fixed support for --no-dev combined with --locked in outdated and show commands (#9788)
### [2.0.12] 2021-04-01
* Fixed support for new GitHub OAuth token format (#9757)