PHPackages aaemnnosttv/composer-hash-plugin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. aaemnnosttv/composer-hash-plugin ActiveComposer-plugin[Utility & Helpers](/categories/utility) aaemnnosttv/composer-hash-plugin ================================ Composer plugin for writing the current composer version hash to a file on install/update. 028PHP Since Aug 15Pushed 4y ago1 watchersCompare [ Source](https://github.com/aaemnnosttv/composer-hash-plugin)[ Packagist](https://packagist.org/packages/aaemnnosttv/composer-hash-plugin)[ RSS](/packages/aaemnnosttv-composer-hash-plugin/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependenciesVersions (1)Used By (0) Composer Hash Plugin ==================== [](#composer-hash-plugin) [![Tests](https://github.com/aaemnnosttv/composer-hash-plugin/actions/workflows/test.yml/badge.svg)](https://github.com/aaemnnosttv/composer-hash-plugin/actions/workflows/test.yml) A Composer plugin for writing the Composer hash to a file on install/update to verify parity with VCS. Overview -------- [](#overview) This package aims to solve the problem of your installed dependencies getting out of sync with those defined by your lock file. As such, it is intended to be used in projects where the `composer.lock` file is under version control. Once installed, the plugin will write the current `content-hash` from your `composer.lock` file to a new `composer.hash` file after each `composer install` or `update`. This is the only thing it will do automatically. **This new file is intended to be excluded from version control.**The hashes can then be verified, but that has to be done (semi) manually. See below. API --- [](#api) Since the hash file is written automatically, the API exposes methods for verifying the hashes. ### CLI [](#cli) ``` $ composer hash-verify ``` If hash verification fails, the command provides additional feedback and exits with a non-zero exit code. ### PHP [](#php) The plugin exposes a `ComposerHash\Hash::verify($path)` method where `$path` is the absolute path to the project's root directory containing `composer.json`. This function checks that the `composer.hash` matches the corresponding hash in the `composer.lock` file (if it doesn't, a `HashMismatchException` is thrown. Other exceptions are thrown if called with an invalid path or if Composer files are unreadable. Installation ------------ [](#installation) ``` $ composer require aaemnnosttv/composer-hash-plugin ``` Note: the generated `composer.hash` file is intended to be ignored by source control so be sure to update your `.gitignore` or other VCS equivalent accordingly. ### Health Score 17 — LowBetter than 6% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity7 Limited adoption so far Community7 Small or concentrated contributor base Maturity28 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/b443f89936449a1c048fcc223ea03b285a4e9c9667ffd21c0c4b3f33e46f72c9?d=identicon)[aaemnnosttv](/maintainers/aaemnnosttv) --- Top Contributors [![aaemnnosttv](https://avatars.githubusercontent.com/u/1621608?v=4)](https://github.com/aaemnnosttv "aaemnnosttv (34 commits)") --- Tags composer-plugin ### Embed Badge ![Health badge](/badges/aaemnnosttv-composer-hash-plugin/health.svg) ``` [![Health](https://phpackages.com/badges/aaemnnosttv-composer-hash-plugin/health.svg)](https://phpackages.com/packages/aaemnnosttv-composer-hash-plugin) ``` ### Alternatives [arara/process Provides a better API to work with processes on Unix-like systems 16861.7k2](/packages/arara-process)[ezsystems/ezautosave-ls Content editing autosave extension for eZ Publish legacy 22423.2k3](/packages/ezsystems-ezautosave-ls)[copyleaks/php-plagiarism-checker Copyleaks detects online plagiarism and checks content distribution. Use Copyleaks to find out if textual content is original and where it has been used before. This package shows how to integrate with the Copyleaks cloud to search for copyright infringement. 5066.4k](/packages/copyleaks-php-plagiarism-checker)[teknomavi/tcmb T.C. Merkez Bankası üzerinden güncel döviz kurlarını çeker 7019.2k](/packages/teknomavi-tcmb)[silverstripe/multiform SilverStripe forms with multiple steps, flow control and state persistence 3156.0k3](/packages/silverstripe-multiform)[kolab/calendar Calendar plugin 3010.5k](/packages/kolab-calendar) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)