terminal42/composer-lock-validator

A library to validate a composer.lock file against your local Composer instance

Maintainers

Details

github.com/terminal42/composer-lock-validator

Source

Issues

Fund package maintenance!
terminal42
Ko Fi

Installs: 210

Dependents: 1

Suggesters: 0

Security: 0

Stars: 4

Watchers: 2

Forks: 0

Open Issues: 0

1.1.1 2025-06-18 14:00 UTC

Requires

Requires (Dev)

MIT 46c2faf7148aa7f18a4ad7c8aa4cf9c4f5e57104

  • Yanick Witschi <yanick.witschi.woop@terminal42.ch>

This package is auto-updated.

Last update: 2025-06-18 14:02:25 UTC

README

This library allows to compare a given composer.lock file against your local Composer instance.

You can use it to e.g. ensure a provided composer.lock does not contain any foreign packages (not required by your Composer instance - aka composer.json) or package URLs that have been tampered with. It also detects removed packages that should be present.

Usage:

use \Terminal42\ComposerLockValidator\Validator;
use \Terminal42\ComposerLockValidator\ValidationException;

$composerLock = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

// You can either pass an already existing Composer instance
$validator = Validator::createFromComposer($composer);
// Or provide a path to your composer.json
$validator = Validator::createFromComposerJson($pathToComposerJson);

try {
    $validator->validate($composerLock);
} catch (ValidationException $exception) {
    echo 'Invalid: ' . $exception->getMessage();
}

echo 'Valid!';

Partial validation / validation against existing composer.lock

When you run composer update as a partial update (e.g. composer update <vendor/package> --with-dependencies), Composer will not update the composer.lock information of all the other packages. Hence, validating will probably fail because one of the other packages have experienced metadata updates in the meantime (new URL, probably abandoned, different branch-aliases etc.). In such a case, you might want to add your already existing composer.lock file as additional source of truth. Every package in the composer.lock you want to validate then has to either match the metadata of the repositories or the entry of an already existing composer.lock. Simply pass the data of the existing composer.lock as second argument:

use \Terminal42\ComposerLockValidator\Validator;
use \Terminal42\ComposerLockValidator\ValidationException;

$composerLock = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

$alreadyExistingComposerLockITrust = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

// You can either pass an already existing Composer instance
$validator = Validator::createFromComposer($composer);
// Or provide a path to your composer.json
$validator = Validator::createFromComposerJson($pathToComposerJson);

try {
    $validator->validate($composerLock, $alreadyExistingComposerLockITrust);
} catch (ValidationException $exception) {
    echo 'Invalid: ' . $exception->getMessage();
}

echo 'Valid!';