Last update: Apr 11, 2021

Build Status

Composer Checker

A simple tool for various composer related checks and validations.


$ php bin/composer-checker

Available commands:
  help         Displays help for a command
  list         Lists commands
  check:dist   Matching the dist urls in a composer.lock file against some patterns.
  check:src    Matching the src urls in a composer.lock file against some patterns.
  remove:dist   Removing dist urls from a composer.lock file.
  remove:src    Removing src urls from a composer.lock file.

Check: Dist-Urls

This check is intended to validate the dist-urls in a composer.lock file. When using a Satis Mirror for your packages, it might break your ci/deployment when external dist-urls are used in your composer.lock file.

Simply run this command to check against the url "":

$ php bin/composer-checker check:dist -p "" composer.lock
 --- Invalid urls found ---
| Package         | Dist-URL                                                                                      |
| symfony/console | |

The output gives a hint, which packages do not comply with the given url pattern, which is basically just a regex. A positive example with a more complex regex:

$ php bin/composer-checker check:dist -p "^[a-f0-9]+)$" composer.lock
All urls valid.

It is also possible to enforce to use only "https" dist-urls with a pattern like this:

$ php bin/composer-checker check:dist -p "^https://" composer.lock

Allowing empty or missing dist urls can be done with the --allow-empty switch.

Check: Source-Urls

Parallel to the dist urls, the source urls can be checked too.

$ php bin/composer-checker check:src -p "[email protected]/foo.git" composer.lock

Allowing empty or missing source urls can be done with the --allow-empty switch.

Remove: Dist-Urls

This command will remove distribution urls from a given composer.lock file. Forcing composer to install all packages from "source".

It is possible to --except specific patterns like "". These urls will not be removed.

php bin/composer-checker remove:dist -e composer.lock

Remove: Source-Urls

Working the same as the remove:dist counterpart. Removing the "source" entries from a given composer.lock file.

php bin/composer-checker remove:src -e composer.lock

This command can be very useful for automated deploying. Because if a package mirror like Satis, holding "dist" copies, is not available, composer will silently fail back to using "source" packages creating a unnoticed dependency between production and the VCS. Removing all the "source" entries from a composer.lock file, will force composer to only use the "dist" urls or stop with a failure.


The license can be found here: LICENSE

You might also like...
  • 1. Adding Command to remove DIST and SOURCE Urls

    Till this feature is missing, try to implement the following:

    Provide a commands like "remove:src" and "remove:dist" that removes all DIST or SOURCE Urls from a package of composer.lock file, to avoid composer using these.

    Possible Options:

    --except "regex" Will not remove a url, if it matches given regex.

    Reviewed by h4cc at 2014-06-29 19:28