cevinio / production-dependencies-guard
Prevents adding of development packages into require-section (should be require-dev).
Installs: 3 174
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Type:composer-plugin
Requires
- php: >=8.0
- composer-plugin-api: ^1.0|^2.0
- ext-json: *
Requires (Dev)
- ext-xdebug: *
- composer/composer: ^1.0|^2.0
- dealerdirect/phpcodesniffer-composer-installer: ^0.7.2
- infection/infection: ^0.26
- phpcompatibility/php-compatibility: ^9.3
- phpunit/phpunit: ^9.5
- rregeer/phpunit-coverage-check: ^0.3
- squizlabs/php_codesniffer: ^3.7
This package is auto-updated.
Last update: 2025-03-26 16:27:42 UTC
README
Prevents development packages from being added into require and getting into production environment. In practical field
prevents e.g. debug tool-bars deployment into production environments.
Additionally, you can configure the guard to decline packages with missing/unfit license, abandoned or mentioning debug
in description and analyze packages on basis of composer.lock (deeper analysis).
This repository was forked from kalessil/production-dependencies-guard because it is unmaintained.
Credits go to Vladimir Reznichenko for creating the original production dependency guard.
Installation
composer require --dev cevinio/production-dependencies-guard:dev-main
Configuration
Additional guard checks can be enabled in the top-level composer.json file:
{
"name": "...",
"extra": {
"production-dependencies-guard": [
"check-lock-file",
"check-description",
"check-license",
"check-abandoned",
"white-list:vendor/package-one",
"white-list:vendor/package-two:abandoned,description",
"accept-license:MIT",
"accept-license:proprietary"
]
}
}
white-list:<package>adds a package to white-list, so it's not getting reported in spite of violationswhite-list:<package>:<guard>,...adds a package to white-list only for the specified guardscheck-lock-fileuses composer.lock instead of composer.json, allowing deeper dependencies analysischeck-descriptionenables description and keywords analysis (searchesdebug), allowing to detect custom dev-packagescheck-abandonedenables abandoned packages checkingcheck-licenseenables license checking (packages must provide license information)accept-license:<license>specifies which licenses should be accepted (if the setting omitted, any license incl. proprietary)
Usage
When the package is added to require-dev section of your composer.json file ("cevinio/production-dependencies-guard": "dev-main"),
it'll prevent adding dev-packages into require section. Since dev-packages has no security guaranties
(not intended for production use, only development purposes), this also improves your application security.
composer require --dev cevinio/production-dependencies-guard:dev-main
composer require phpunit/phpunit:*
# it should be `composer require --dev phpunit/phpunit:*` here
will run with an error (profit!):
./composer.json has been updated
Installation failed, reverting ./composer.json to its original content.
[RuntimeException]
Dependencies guard has found violations in require-dependencies (source: manifest):
- phpunit/phpunit: dev-package-name
Stability
This package is only available in its dev-main version: according to the package purpose.