aaemnnosttv / composer-hash-plugin
Composer plugin for writing the current composer version hash to a file on install/update.
Installs: 28
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 3
Forks: 0
Open Issues: 0
Type:composer-plugin
Requires
- php: >=5.5
- composer-plugin-api: ^1.1 || ^2.0
- ext-json: *
Requires (Dev)
This package is auto-updated.
Last update: 2025-01-15 21:16:57 UTC
README
A Composer plugin for writing the Composer hash to a file on install/update to verify parity with VCS.
Overview
This package aims to solve the problem of your installed dependencies getting out of sync with those defined by your lock file.
As such, it is intended to be used in projects where the composer.lock
file is under version control.
Once installed, the plugin will write the current content-hash
from your composer.lock
file to a new composer.hash
file after each composer install
or update
.
This is the only thing it will do automatically.
This new file is intended to be excluded from version control. The hashes can then be verified, but that has to be done (semi) manually. See below.
API
Since the hash file is written automatically, the API exposes methods for verifying the hashes.
CLI
$ composer hash-verify
If hash verification fails, the command provides additional feedback and exits with a non-zero exit code.
PHP
The plugin exposes a ComposerHash\Hash::verify($path)
method where $path
is the absolute path to the project's root directory containing composer.json
.
This function checks that the composer.hash
matches the corresponding hash in the composer.lock
file (if it doesn't, a HashMismatchException
is thrown.
Other exceptions are thrown if called with an invalid path or if Composer files are unreadable.
Installation
$ composer require aaemnnosttv/composer-hash-plugin
Note: the generated composer.hash
file is intended to be ignored by source control so be sure to update your .gitignore
or other VCS equivalent accordingly.