LinuxCommandLibrary

composer-require-checker

Find undeclared composer dependencies

TLDR

Analyze a Composer JSON file

$ composer-require-checker check [path/to/composer.json]
copy

Analyze a Composer JSON file with a specific configuration
$ composer-require-checker check --config-file [path/to/config.json] [path/to/composer.json]
copy

SYNOPSIS

composer-require-checker [OPTIONS] [--] [<paths>...]

PARAMETERS

--vendor-dir <DIR>
    Path to the vendor directory (default: ./vendor)

--autoload-dir <DIR>
    Additional path for autoload files (repeatable)

--no-dev
    Skip checking dev dependencies

--ignore-platform-reqs
    Ignore all platform requirements

--ignore-platform-req <PACKAGE>
    Ignore specific platform requirement (repeatable)

--strict
    Fail on any unused internal packages

--allow-missing-core-only-packages
    Treat missing core packages as allowed

--profile
    Enable profiling to show checker performance

--ansi / --no-ansi
    Force (disable) ANSI colored output

--no-interaction
    Do not ask interactive questions

<paths>
    Paths to scan (default: current directory)

DESCRIPTION

The composer-require-checker is a PHP command-line tool that scans your project's source code to identify Composer dependencies that are not actually used. It analyzes PHP files for class, interface, trait, and function usage, then cross-references them against composer.json and installed packages in the vendor directory.

This helps maintain a lean dependency tree, reduces security vulnerabilities from unused libraries, and keeps composer.json clean. It supports excluding dev dependencies, ignoring platform requirements, and custom vendor paths. Output includes unused packages grouped by type (required, dev, platform), making it easy to remove bloat.

Commonly integrated into CI/CD pipelines like GitHub Actions or GitLab CI for automated checks. It respects PHP namespaces and handles PSR autoloading but may miss dynamically loaded code or indirect usages.

CAVEATS

Requires PHP and Composer installation; scans only static PHP code (misses dynamic requires, eval); false positives possible with conditional includes; performance scales with project size.

INSTALLATION

Run composer require --dev maglnet/composer-require-checker; executable at ./vendor/bin/composer-require-checker

EXIT CODES

0: all good; 1: unused dependencies found; 2: fatal error

HISTORY

Developed by Marc GLOD (maglnet) starting 2016; latest v4.x supports modern PHP/Composer; widely used in PHP ecosystem for dependency auditing.

SEE ALSO

composer(1)

Copied to clipboard