terminal42 / composer-lock-validator
A library to validate a composer.lock file against your local Composer instance
Fund package maintenance!
terminal42
Ko Fi
Requires
- php: ^8.1
- composer/composer: ^2.8
- composer/semver: ^3.4
Requires (Dev)
- phpunit/phpunit: ^10.5
- terminal42/contao-build-tools: @dev
README
This library allows to compare a given composer.lock file against your local Composer instance.
You can use it to e.g. ensure a provided composer.lock does not contain any foreign packages (not required by your Composer
instance - aka composer.json) or package URLs that have been tampered with. It also detects removed packages that
should be present.
Usage:
use \Terminal42\ComposerLockValidator\Validator; use \Terminal42\ComposerLockValidator\ValidationException; $composerLock = [ 'content-hash' => '...', 'packages' => [...] 'packages-dev' => [...] ]; // You can either pass an already existing Composer instance $validator = Validator::createFromComposer($composer); // Or provide a path to your composer.json $validator = Validator::createFromComposerJson($pathToComposerJson); try { $validator->validate($composerLock); } catch (ValidationException $exception) { echo 'Invalid: ' . $exception->getMessage(); } echo 'Valid!';