This PR aims to get a coding standard into the project to improve readability and maintainability. I chose doctrine/coding-standard but if wanted we can switch the cs rules or require slevomat/coding-standard or squizlabs/php_codesniffer directly. Also adding / removing rules should be no problem.

At the moment I only installed the package and let phpcbf auto fix the issues that could be fixed. But there are plenty more cs issues to work on.

But before i work more on this i would get your opinion on this topic @Ocramius @maglnet :) I would also add it to the CI and maybe remove the scrutinizer config.

It seems that currently only packages used directly in require section are considered. There are multiple cases when packages are optional dependency and as such are only present in suggest (and possibly also require-dev) section. These are currently reported as missing dependency, although they are not hard dependency.

We encounter some strange behavior lately. On some projects/libraries, the checker returns the following error:

$ vendor/bin/composer-require-checker
ComposerRequireChecker 2.1.0@0c66698d487fcb5c66cf07108e2180c818fb2e72

In ParserAbstract.php line 315:

  Syntax error, unexpected T_MATCH on line 15


check [--config-file CONFIG-FILE] [--ignore-parse-errors] [--] [<composer-json>]

It seems to be somehow related to PHPunit when it is installed as non-dev dependency. Psalm also had a similar problem but fixed it already: https://github.com/vimeo/psalm/issues/3901

The error disappears when I remove the extends Match from \PHPUnit\Framework\MockObject\Builder\ParametersMatch lins 15.

Anyone has a clue what's going on there?

There are some frameworks that store installed packages somewhere outside the vendor folder. E.g. TYPO3 CMS stored their extensions (installed via composer) somewhere else. Those are reported as missing with default setup:

ComposerRequireChecker 2.1.0@0c66698d487fcb5c66cf07108e2180c818fb2e72
The following unknown symbols were found:
+---------------------------------------------------------+--------------------+
| unknown symbol                                          | guessed dependency |
+---------------------------------------------------------+--------------------+
| TYPO3\CMS\Core\Context\Context                          |                    |
| TYPO3\CMS\Core\Database\Connection                      |                    |
| TYPO3\CMS\Core\Database\Query\QueryBuilder              |                    |
| TYPO3\CMS\Core\Routing\PageArguments                    |                    |
| TYPO3\CMS\Core\Site\Entity\SiteLanguage                 |                    |
| TYPO3\CMS\Core\Site\SiteFinder                          |                    |
| TYPO3\CMS\Core\Utility\ArrayUtility                     |                    |
| TYPO3\CMS\Dashboard\Widgets\AbstractBarChartWidget      |                    |
| TYPO3\CMS\Dashboard\Widgets\AbstractDoughnutChartWidget |                    |
| TYPO3\CMS\Dashboard\Widgets\AbstractListWidget          |                    |
+---------------------------------------------------------+--------------------+

I wonder why the auto generated files vendor/composer/autoload_*.php are not used to find all files. That should find the files as these are generated with the concrete installation path.

Example of vendor/composer/autoload_psr4.php with some TYPO3 extensions (concrete paths can be different depending on options in composer.json):

<?php

// autoload_psr4.php @generated by Composer

$vendorDir = dirname(dirname(__FILE__));
$baseDir = dirname($vendorDir);

return array(
    'phpDocumentor\\Reflection\\' => array($vendorDir . '/phpdocumentor/reflection-common/src', $vendorDir . '/phpdocumentor/reflection-docblock/src', $vendorDir . '/phpdocumentor/type-resolver/src'),
    // ...
    'TYPO3\\CMS\\Recordlist\\' => array($baseDir . '/.Build/web/typo3/sysext/recordlist/Classes'),
    'TYPO3\\CMS\\Frontend\\' => array($baseDir . '/.Build/web/typo3/sysext/frontend/Classes'),
    'TYPO3\\CMS\\Fluid\\' => array($baseDir . '/.Build/web/typo3/sysext/fluid/Classes'),
    'TYPO3\\CMS\\Extbase\\' => array($baseDir . '/.Build/web/typo3/sysext/extbase/Classes'),
    'TYPO3\\CMS\\Dashboard\\' => array($baseDir . '/.Build/web/typo3/sysext/dashboard/Classes'),
    'TYPO3\\CMS\\Core\\' => array($baseDir . '/.Build/web/typo3/sysext/core/Classes'),
    'TYPO3\\CMS\\Backend\\' => array($baseDir . '/.Build/web/typo3/sysext/backend/Classes'),
   // ...

Is there any chance to chance the detection of files to parse in future? Or is there an official way to support these situations?

I guess the issue should be consistent between all those libraries that use an "own installer": https://github.com/composer/installers/tree/master/src/Composer/Installers. Same situation might happen for some projects like code sniffer and others that have their own custom installers, that move vendor code to some other folders.

As far as I can see, right now the following line should be adjusted: https://github.com/maglnet/ComposerRequireChecker/blob/57cbad2ad328b20f01f3ae818d379b6aa6ec3a32/src/ComposerRequireChecker/FileLocator/LocateComposerPackageDirectDependenciesSourceFiles.php#L23

I'm not experienced yet to give any hints how to retrieve the expected folder by an API.

My CI script is failing without any error message, do you guys have any idea why?

docker compose exec -T my-app-name bash -c 'php -d xdebug.mode=off ./vendor/maglnet/composer-require-checker/bin/composer-require-checker check --output=json > composer-require-check-report.json'

// I already tried variations, always with the same result.

docker compose exec -T my-app-name php -d xdebug.mode=off ./vendor/maglnet/composer-require-checker/bin/composer-require-checker check --output=json > composer-require-check-report.json

docker compose exec -T my-app-name XDEBUG_MODE=off php ./vendor/maglnet/composer-require-checker/bin/composer-require-checker check --output=json > composer-require-check-report.json

docker compose exec -T my-app-name bash -c 'php -d xdebug.mode=off ./vendor/maglnet/composer-require-checker/bin/composer-require-checker check --output=json' > composer-require-check-report.json

docker compose exec -T my-app-name bash -c 'XDEBUG_MODE=off php ./vendor/maglnet/composer-require-checker/bin/composer-require-checker check --output=json > composer-require-check-report.json'

As mentioned, the command is executing correctly and the file is generated at the end.

The command works well locally (and apparently works well in the runner too, I just don't know why the job is failing.

PHP7.2 is running EOL in 1 month and with this in mind I updated the minimum required PHP version. I went up to 7.4.* as I think its not really worth to also maintain for PHP 7.3. But we can, if you want, go down to 7.3.

I also updated all dependencies to the newest minor versions and PHPUnit up to ^9.4.0.

Doesn't even need to be automatic, if that became configurable instead of using the harcoded vendor here https://github.com/maglnet/ComposerRequireChecker/blob/master/src/ComposerRequireChecker/FileLocator/LocateComposerPackageDirectDependenciesSourceFiles.php#L15

that would be super helpful :)

If that's something you can agree with I could look into creating a PR.

It could be really nice if a Docker image was provided, so that one could use a command like

docker run -v $(pwd):/app compoesrrequirechecker

to run the executable

Many dev tools are using cache files (e.g. PHPCSFixer, PHPUnit, PHPStan, Psalm, Deptrac and others), giving us performance boost locally and on CI. Look at this image, where the first run is without cache, and the second run is with cache files used for dev tools:

As you can see, caching can save us minutes or tens of minutes, depending on the project size (as an example, look at the PHP Code Style column, which is PHPCSFixer, that saves 3m 43s with cache being used.

On the other side, please look at the "Check Required Packages" column, where cache is not used - it always takes ~1m, which is too much.

Is it possible to introduce some level of caching, and for example check only changed files?

If this feature is going to be implemented, please consider have an option to define where the cache file should be located, like:

--cache-file=custom/path/to/cache/.php_cs.cache

current implementation tries to "guess" the path a required package was installed to. see https://github.com/maglnet/ComposerRequireChecker/blob/b3cd6d30e2335997c5eabb19e3f01d699bc06caa/src/ComposerRequireChecker/FileLocator/LocateComposerPackageDirectDependenciesSourceFiles.php#L33

this might be correct for the most time, but in general this "guessing" seams like a lucky shot. ISSUE: In some cases its is just wrong -- especially when a installer-plugin was used. (some frameworks like typo3 do that).

When using composer2: the actual package install path of each required package can be found as install_path in file $vendorDir . '/composer/installed.json' or $vendorDir . '/composer/installed.php' (just as used in https://github.com/maglnet/ComposerRequireChecker/blob/master/src/ComposerRequireChecker/FileLocator/LocateComposerPackageDirectDependenciesSourceFiles.php#L57)

Example:

{
    "packages": [
        {
            "name": "typo3/cms-extbase",
            "version": "v9.5.28",
            "version_normalized": "9.5.28.0",
            "source": {
                "type": "git",
                "url": "https://github.com/TYPO3-CMS/extbase.git",
                "reference": "676336cabfd589c369056c24ab5a2c94ee9f4c1a"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/TYPO3-CMS/extbase/zipball/676336cabfd589c369056c24ab5a2c94ee9f4c1a",
                "reference": "676336cabfd589c369056c24ab5a2c94ee9f4c1a",
                "shasum": ""
            },
            "require": {
                "typo3/cms-core": "9.5.28"
            },
            "conflict": {
                "typo3/cms": "*"
            },
            "suggest": {
                "typo3/cms-scheduler": "Additional scheduler tasks"
            },
            "time": "2021-07-20T09:35:15+00:00",
            "type": "typo3-cms-framework",
            "extra": {
                "typo3/cms": {
                    "Package": {
                        "protected": true,
                        "partOfFactoryDefault": true,
                        "partOfMinimalUsableSystem": true
                    },
                    "extension-key": "extbase"
                },
                "typo3/class-alias-loader": {
                    "class-alias-maps": [
                        "Migrations/Code/ClassAliasMap.php"
                    ]
                }
            },
            "installation-source": "dist",
            "autoload": {
                "psr-4": {
                    "TYPO3\\CMS\\Extbase\\": "Classes/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "GPL-2.0-or-later"
            ],
            "authors": [
                {
                    "name": "TYPO3 Core Team",
                    "email": "[email protected]",
                    "role": "Developer"
                }
            ],
            "description": "A framework to build extensions for TYPO3 CMS.",
            "homepage": "https://typo3.org",
            "support": {
                "source": "https://github.com/TYPO3-CMS/extbase/tree/v9.5.28"
            },
            "install-path": "../../Web/typo3/sysext/extbase"
        }
    ]
}

⚠️ Dependabot is rebasing this PR ⚠️

If you make any changes to it yourself then they will take precedence over the rebase.

Bumps phpstan/phpstan from 0.12.64 to 0.12.80.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @maglnet.

This PR contains the following updates:

| Update | Change | |---|---| | lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: Branch creation - "before 2am" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• [ ] If you want to rebase/retry this PR, check this box

Read more about the use of Renovate Bot within ocramius/* projects.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | phpstan/phpstan | require-dev | patch | ^1.9.4 -> ^1.9.7 | | roave/infection-static-analysis-plugin | require-dev | minor | ^1.27.0 -> ^1.28.0 |

Release Notes

includes:
	- vendor/phpstan/phpstan/conf/bleedingEdge.neon

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

• [ ] If you want to rebase/retry this PR, check this box

Read more about the use of Renovate Bot within ocramius/* projects.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• [ ] Update all non-major dependencies (phpstan/phpstan, roave/infection-static-analysis-plugin)
• [ ] Lock file maintenance

Detected dependencies

• [ ] Check this box to trigger a request for Renovate to run again on this repository

The article in https://www.php.net/manual/en/tokenizer.installation.php says that it's enabled by default. So there is no need to warn about it. Could you remove it?

with code like

		if (defined('CURLOPT_SSL_VERIFYHOST') && $curlOpt === CURLOPT_SSL_VERIFYHOST) {
			return new UnionType([new ConstantIntegerType(0), new ConstantIntegerType(2)]);
		}

the tool properly detects and reports a error:

php build/composer-require-checker.phar check --config-file /home/runner/work/phpstan-src/phpstan-src/build/composer-require-checker.json
ComposerRequireChecker 4.0.0@baa11a4e9e5072117e3d180ef16c07036cafa4a2
The following 1 unknown symbols were found:
+------------------------+--------------------+
| Unknown Symbol         | Guessed Dependency |
+------------------------+--------------------+
| CURLOPT_SSL_VERIFYHOST | ext-curl           |
+------------------------+--------------------+

doing the same within a loop in a "more dynamic" way does not report any errors:

		$boolConstants = [
			'CURLOPT_AUTOREFERER',
			'CURLOPT_COOKIESESSION',
		];
		foreach ($boolConstants as $constName) {
			if (defined($constName) && constant($constName) === $curlOpt) {
				return new BooleanType();
			}
		}

I think - for consistency it would be helpful if the require checker could detect such constant cases.

found this inconsistency while working on https://github.com/phpstan/phpstan-src/pull/1719/

The parser doesn't handle the new "readonly" keyword properly and throws an error:

ComposerRequireChecker 4.0.0@baa11a4e9e5072117e3d180ef16c07036cafa4a2
In LocateASTFromFiles.php line 46:
                                                                               
  Parsing the file [ [...] /main/vendor/google/apiclient-services/src/Fire  
  store/ReadOnly.php] resulted in an error: Syntax error, unexpected T_READON  
  LY, expecting T_STRING on line 20                                            
                                                                               
In ParserAbstract.php line 318:
                                                                      
  Syntax error, unexpected T_READONLY, expecting T_STRING on line 20  
                                                                      
check [--config-file CONFIG-FILE] [--ignore-parse-errors] [--output OUTPUT] [--] [<composer-json>]
BUILD FAILED