PHPackages                             danielbachhuber/composer-lock-updater - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. danielbachhuber/composer-lock-updater

ActiveLibrary

danielbachhuber/composer-lock-updater
=====================================

Run composer-lock-updater in your CI system for bot-powered composer.lock pull requests.

v0.8.3(4y ago)168.0k↓50%8[4 issues](https://github.com/danielbachhuber/composer-lock-updater/issues)MITPHP

Since Jun 9Pushed 4y ago3 watchersCompare

[ Source](https://github.com/danielbachhuber/composer-lock-updater)[ Packagist](https://packagist.org/packages/danielbachhuber/composer-lock-updater)[ RSS](/packages/danielbachhuber-composer-lock-updater/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (10)Dependencies (3)Versions (29)Used By (0)

composer-lock-updater
=====================

[](#composer-lock-updater)

Run composer-lock-updater in your CI system for bot-powered `composer.lock` pull requests.

[![Build Status](https://camo.githubusercontent.com/b2dd28021273f8ad9fca27e7cd9731ad4a4b4776a20bbf34de34933dbe9bf994/68747470733a2f2f7472617669732d63692e6f72672f64616e69656c6261636868756265722f636f6d706f7365722d6c6f636b2d757064617465722e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/danielbachhuber/composer-lock-updater)

When you run `clu`, it:

1. Clones a given git repository to a working `/tmp/` directory.
2. Runs `composer update` within the working directory.
3. Submits a pull request if changes are detected to a tracked `composer.lock` file.

Et voila! Now your dependencies are no longer six months out of date.

composer-lock-updater is different than [dependabot](https://dependabot.com/) in that it bundles all of your updates into one pull request, instead of creating separate pull requests for each dependency.

[Installing](#installing) | [Using](#using) | [Integrate with Travis CI](#use-with-travis-ci)

Installing
----------

[](#installing)

composer-lock-updater is a PHP library that can be installed with Composer:

```
composer global require danielbachhuber/composer-lock-updater

```

composer-lock-updater depends on `composer` and `git` being available on the system. For use with GitHub, also install the official [`hub`](https://github.com/github/hub) CLI tool. For use with GitLab, you can use the unofficial [`lab`](https://github.com/zaquestion/lab) CLI tool that emulates `hub`.

Both `hub` and `lab` will need to be authenticated with their respective services in order to create the pull/merge requests.

#### Support for other providers

[](#support-for-other-providers)

Copy [clu-config.dist.json](clu-config.dist.json) to `$COMPOSER_HOME/clu-config.json` to add support for your git repository provider, or to make adjustments to the pull request commands. For example, to add support for a Bitbucket-Pantheon project using [Terminus Bitbucket Plugin](https://github.com/aaronbauman/terminus-bitbucket-plugin), create the following `clu-config.json`:

```
{
  "providers": {
    "terminus": {
      "provider": "terminus",
      "exec": ["terminus"],
      "pr_create": "terminus pr-create --title=\"Update Composer dependencies\" --description %s",
      "pr_list": "terminus pr-list",
      "pr_close": "terminus pr-close %d -y",
      "title_pattern": "%(\\d+)\\s+Update Composer dependencies\\s+clu\\-([0-9-]*)%"
    }
  }
}

```

Using
-----

[](#using)

Run composer-lock-updater within an existing GitHub repository with:

```
clu

```

composer-lock-updater defaults to using `git config --get remote.origin.url`. If you'd like to specify a different value, either pass the repository URL as the first positional argument or define a `CLU_GIT_URL` environment variable.

To use composer-lock-updater with a GitLab repository, use:

```
clu --provider=gitlab

```

composer-lock-updater also supports the following environment variables to modify its behavior:

- `CLU_COMPOSER_INSTALL_ARGS`: Arguments passed to `composer install`; defaults to `--no-dev --no-interaction`.
- `CLU_COMPOSER_UPDATE_ARGS`: Arguments passed to `composer update`; defaults to `--no-progress --no-dev --no-interaction`.
- `CLU_GIT_NAME`: Name used for Git commits; defaults to 'composer-lock-update'.
- `CLU_GIT_EMAIL`: Email used for Git commits; defaults to 'composer-lock-update@localhost'.

Integrate with Travis CI
------------------------

[](#integrate-with-travis-ci)

This wouldn't be very useful if it didn't run automatically for you.

To configure composer-lock-updater to run on Travis master branch builds, add the following to your `.travis.yml` file:

```
    after_script:
      - |
        ###
        # Only run on one job of a master branch build
        ###
        if [ -z "$CLU_RUN" ] || [ "$TRAVIS_BRANCH" != master ] ; then
          echo "composer.lock update disabled for this build"
          return
        fi
        ###
        # Install composer-lock-updater
        ###
        export PATH="$HOME/.composer/vendor/bin:$PATH"
        composer global require danielbachhuber/composer-lock-updater
        ###
        # Install hub for creating GitHub pull requests
        #
        # You could also replace this with lab to create GitLab merge requests.
        ###
        wget -O hub.tgz https://github.com/github/hub/releases/download/v2.2.9/hub-linux-amd64-2.2.9.tgz
        tar -zxvf hub.tgz
        export PATH=$PATH:$PWD/hub-linux-amd64-2.2.9/bin/
        ###
        # Optional: install Sensio Labs security checker to include security advisories in PR comments
        ###
        mkdir -p $HOME/bin
        wget -O $HOME/bin/security-checker.phar http://get.sensiolabs.org/security-checker.phar
        chmod +x $HOME/bin/security-checker.phar
        ###
        # Run composer-lock-updater
        ###
        clu $CLU_REPO_URL
```

To grant commit and pull request access to the Travis build, define these private environment variables in the Travis control panel:

```
GITHUB_TOKEN=
CLU_REPO_URL=https://:x-oauth-basic@github.com//.git

```

Make sure to replace ``, `` and `` with the appropriate values.

Lastly, because of the `CLU_RUN` environment variable, composer-lock-updater is disabled by default. Enable it for one job per build by modifying your environment matrix:

```
matrix:
  include:
    - php: 7.1
      env: WP_VERSION=latest PHP_APCU=enabled CLU_RUN=1
    - php: 7.0
      env: WP_VERSION=latest PHP_APCU=enabled
    - php: 5.6
      env: WP_VERSION=latest PHP_APCU=enabled

```

Because composer-lock-updater is running on the `after_script` step, make sure to verify it's working correctly, because it won't fail your build if misconfigured.

###  Health Score

36

—

LowBetter than 82% of packages

Maintenance15

Infrequent updates — may be unmaintained

Popularity33

Limited adoption so far

Community19

Small or concentrated contributor base

Maturity64

Established project with proven stability

 Bus Factor1

Top contributor holds 83.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~67 days

Recently: every ~205 days

Total

25

Last Release

1644d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/4b5740d002b5556abcceed36e016c8f8ba6f533eefef6107b3c60a830704993b?d=identicon)[danielbachhuber](/maintainers/danielbachhuber)

---

Top Contributors

[![danielbachhuber](https://avatars.githubusercontent.com/u/36432?v=4)](https://github.com/danielbachhuber "danielbachhuber (85 commits)")[![greg-1-anderson](https://avatars.githubusercontent.com/u/612191?v=4)](https://github.com/greg-1-anderson "greg-1-anderson (10 commits)")[![joestewart](https://avatars.githubusercontent.com/u/107414?v=4)](https://github.com/joestewart "joestewart (2 commits)")[![GROwen](https://avatars.githubusercontent.com/u/3916040?v=4)](https://github.com/GROwen "GROwen (1 commits)")[![aaronbauman](https://avatars.githubusercontent.com/u/508451?v=4)](https://github.com/aaronbauman "aaronbauman (1 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (1 commits)")[![ataylorme](https://avatars.githubusercontent.com/u/2133004?v=4)](https://github.com/ataylorme "ataylorme (1 commits)")[![chris-allen](https://avatars.githubusercontent.com/u/1003070?v=4)](https://github.com/chris-allen "chris-allen (1 commits)")

###  Code Quality

Code StylePHP\_CodeSniffer

### Embed Badge

![Health badge](/badges/danielbachhuber-composer-lock-updater/health.svg)

```
[![Health](https://phpackages.com/badges/danielbachhuber-composer-lock-updater/health.svg)](https://phpackages.com/packages/danielbachhuber-composer-lock-updater)
```

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)