qbdigitalsoftware / composer-vendor-checker
Composer plugin to check installed packages for available updates
Package info
github.com/qbdigitalsoftware/composer-vendor-checker
Type:composer-plugin
pkg:composer/qbdigitalsoftware/composer-vendor-checker
Requires
- php: >=8.1
- composer-plugin-api: ^2.0
- ext-json: *
- guzzlehttp/guzzle: ^6.5|^7.0
Requires (Dev)
- composer/composer: ^2.0
- phpunit/phpunit: ^9.5|^10.0
This package is auto-updated.
Last update: 2026-06-22 05:09:24 UTC
README
A Composer plugin that checks installed packages for available updates via three sources: Packagist API (for explicitly listed packages), private Composer repositories (auto-detected from composer.json + auth.json), and vendor website scraping. Packages not configured for any source are reported as UNRESOLVED.
The Problem This Solves
composer update doesn't always show the true latest version of a third-party package. This happens when:
- The vendor hasn't pushed the update to Packagist yet
- The version available through Composer repositories lags behind the vendor's latest release
- The package is distributed via a private Composer repository with restricted access
This tool checks Packagist (for explicitly configured packages), private Composer repos (with auth.json credentials), and vendor websites to give you the complete picture.
Features
- Custom Composer command:
composer vendor:check - Explicit resolution — checks packages via configured sources (Packagist list, private repos, vendor websites)
- Three version sources: Packagist API, private Composer repos, vendor website scraping
- Result caching — avoids redundant HTTP calls within a configurable TTL
- Per-package progress — live progress indicator during checks
- Multiple output formats — table, JSON, CSV
- File output — write results directly to a file
- Auto-detects private repos from composer.json and authenticates via auth.json
- Configurable skip lists — exclude vendors or packages from checks
- Cloudflare bot protection detection with clear error messaging
- Exit codes for CI/CD:
0= all current,1= updates available,2= errors - Concurrent HTTP pre-fetching via Guzzle async for fast checks
Installation
Via Composer (Recommended)
composer require --dev qbdigitalsoftware/composer-vendor-checker
As a Path Repository
composer config repositories.vendor-checker path /path/to/composer-vendor-checker composer require --dev qbdigitalsoftware/composer-vendor-checker
Verify Installation
composer vendor:check --help
Usage
Check All Installed Packages
composer vendor:check
Scans composer.lock and checks every non-skipped package for updates. Check method is determined by config/packages.php: website overrides, private repos (auto-detected), explicit Packagist list, or UNRESOLVED.
Check Specific Packages
composer vendor:check --packages=stripe/stripe-payments,amasty/promo
Check a Single Vendor URL
composer vendor:check --url=https://amasty.com/admin-actions-log-for-magento-2.html
Output Formats
# Table format (default) composer vendor:check # JSON output composer vendor:check --format=json # CSV output composer vendor:check --format=csv # Legacy JSON alias composer vendor:check --json
Write to File
composer vendor:check --format=csv --output=report.csv composer vendor:check --format=json --output=versions.json
Caching
# Skip cached results (force fresh check) composer vendor:check --no-cache # Clear cache before running composer vendor:check --clear-cache # Custom TTL (seconds) composer vendor:check --cache-ttl=7200
Verbose Output
composer vendor:check -v
Custom Lock Path
composer vendor:check --path=/path/to/project/composer.lock
Custom Config
composer vendor:check --config=/path/to/packages.php
Command Options
| Option | Short | Description |
|---|---|---|
--path |
-p |
Path to composer.lock file (default: ./composer.lock) |
--packages |
- | Comma-separated list of packages to check |
--url |
-u |
Single vendor URL to check |
--format |
-f |
Output format: table, json, csv (default: table) |
--output |
-o |
Write results to file path |
--json |
-j |
Alias for --format=json |
--no-cache |
- | Skip reading cached results |
--clear-cache |
- | Clear cache before running |
--cache-ttl |
- | Cache TTL in seconds (default: 3600) |
--config |
-c |
Path to packages.php config file |
--verbose |
-v |
Show detailed output |
Example Output
Checking packages from: ./composer.lock
[ 1/24] stripe/stripe-payments packagist OK
[ 2/24] klaviyo/magento2-extension packagist UPDATE
[ 3/24] xtento/orderexport website OK
...
Vendor Version Check Report
--------------------------------------------------------------------------
✓ stripe/stripe-payments
Installed: 3.5.0 Latest: 3.5.0 [via Packagist]
↑ klaviyo/magento2-extension
Installed: 4.4.2 Latest: 4.5.0 [via Packagist]
✗ amasty/promo
Installed: 2.12.0 Latest: Error
Error: Cloudflare protection detected — website requires browser verification
--------------------------------------------------------------------------
Summary: 15 up-to-date, 6 updates available, 0 ahead, 0 unavailable, 0 unresolved, 3 errors
Configuration
Configuration is optional. Without a config file, packages with no configured source resolve as UNRESOLVED. Use the bundled config/packages.php to define Packagist, website, and skip lists.
Config File Format
The plugin reads config/packages.php (bundled) or a custom path via --config. See config/packages.php.example for the full format.
Key configuration options:
return [ // Website URL overrides — scraped for version info 'package_url_mappings' => [ 'mageplaza/module-smtp' => 'https://www.mageplaza.com/magento-2-smtp/', ], // Packages checked via Packagist API only 'packagist_packages' => [ 'stripe/stripe-payments', 'klaviyo/magento2-extension', ], // Vendor prefixes to skip entirely 'skip_vendors' => [ 'magento', 'laminas', 'symfony', 'monolog', 'psr', 'phpunit', 'guzzlehttp', 'doctrine', ], // Specific packages to skip 'skip_packages' => [ 'vendor/internal-module', ], // Private repo hosts to skip 'skip_hosts' => [ 'repo.magento.com', ], // Host patterns to skip (regex) 'skip_patterns' => [ '/\.satis\./i', ], ];
Package Resolution Order
For each package in composer.lock:
- Skip — if vendor is in
skip_vendorsor package is inskip_packages - Website — if package has a URL in
package_url_mappings - Private Repo — if package came from a private Composer repo detected in
composer.json+auth.json - Packagist — if package is in the
packagist_packageslist - Unresolved — no configured check method (reported as UNRESOLVED)
How It Works
- Reads composer.lock to get all installed packages
- Resolves check strategy for each package via
PackageResolver - Checks cache — uses cached results within TTL if available
- Pre-fetches URLs concurrently via Guzzle async for cache misses
- Checks each package using its resolved method (Packagist, private repo, or website)
- Stores results in the result cache
- Formats output via
OutputFormatter(table, JSON, or CSV)
CI/CD Integration
GitHub Actions
name: Check Vendor Versions on: schedule: - cron: '0 9 * * 1' workflow_dispatch: jobs: check-versions: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: '8.1' - run: composer install - run: composer vendor:check --format=json --output=versions.json - uses: actions/upload-artifact@v4 with: name: version-report path: versions.json
Exit Codes
| Code | Meaning |
|---|---|
| 0 | All packages up to date |
| 1 | Updates available |
| 2 | Errors encountered |
Requirements
- PHP 8.1 or higher
- Composer 2.x
- ext-json
- guzzlehttp/guzzle ^6.5 or ^7.0
Running Tests
composer install vendor/bin/phpunit
Author
Carl Simpson — QB Digital Software Ltd https://qbdigital.co.uk
License
MIT License - see LICENSE file for details