Code Quality Rank: L5
Programming language: PHP
License: MIT License
Latest version: v0.3.0

Composer Checker alternatives and similar libraries

Based on the "Dependency Management Extras" category.
Alternatively, view Composer Checker alternatives based on common mentions on social networks and blogs.

Do you think we are missing an alternative of Composer Checker or a related project?

Add another 'Dependency Management Extras' Library


Build Status

Composer Checker

A simple tool for various composer related checks and validations.


$ php bin/composer-checker

Available commands:
  help         Displays help for a command
  list         Lists commands
  check:dist   Matching the dist urls in a composer.lock file against some patterns.
  check:src    Matching the src urls in a composer.lock file against some patterns.
  remove:dist   Removing dist urls from a composer.lock file.
  remove:src    Removing src urls from a composer.lock file.

Check: Dist-Urls

This check is intended to validate the dist-urls in a composer.lock file. When using a Satis Mirror for your packages, it might break your ci/deployment when external dist-urls are used in your composer.lock file.

Simply run this command to check against the url "satis.example.com":

$ php bin/composer-checker check:dist -p "satis.example.com" composer.lock
 --- Invalid urls found ---
| Package         | Dist-URL                                                                                      |
| symfony/console | https://api.github.com/repos/symfony/Console/zipball/00848d3e13cf512e77c7498c2b3b0192f61f4b18 |

The output gives a hint, which packages do not comply with the given url pattern, which is basically just a regex. A positive example with a more complex regex:

$ php bin/composer-checker check:dist -p "^https://api.github.com/repos/(.+)/(.+)/zipball/([a-f0-9]+)$" composer.lock
All urls valid.

It is also possible to enforce to use only "https" dist-urls with a pattern like this:

$ php bin/composer-checker check:dist -p "^https://" composer.lock

Allowing empty or missing dist urls can be done with the --allow-empty switch.

Check: Source-Urls

Parallel to the dist urls, the source urls can be checked too.

$ php bin/composer-checker check:src -p "[email protected]/foo.git" composer.lock

Allowing empty or missing source urls can be done with the --allow-empty switch.

Remove: Dist-Urls

This command will remove distribution urls from a given composer.lock file. Forcing composer to install all packages from "source".

It is possible to --except specific patterns like "jquery.com". These urls will not be removed.

php bin/composer-checker remove:dist -e jquery.com composer.lock

Remove: Source-Urls

Working the same as the remove:dist counterpart. Removing the "source" entries from a given composer.lock file.

php bin/composer-checker remove:src -e jquery.com composer.lock

This command can be very useful for automated deploying. Because if a package mirror like Satis, holding "dist" copies, is not available, composer will silently fail back to using "source" packages creating a unnoticed dependency between production and the VCS. Removing all the "source" entries from a composer.lock file, will force composer to only use the "dist" urls or stop with a failure.


The license can be found here: [LICENSE](LICENSE)

*Note that all licence references and agreements mentioned in the Composer Checker README section above are relevant to that project's source code only.