PHPackages                             kalessil/production-dependencies-guard - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. kalessil/production-dependencies-guard

ActiveComposer-plugin[Utility &amp; Helpers](/categories/utility)

kalessil/production-dependencies-guard
======================================

Prevents adding of development packages into require-section (should be require-dev).

851.2M—4.5%3[3 issues](https://github.com/kalessil/production-dependencies-guard/issues)[2 PRs](https://github.com/kalessil/production-dependencies-guard/pulls)2PHPCI failing

Since Jun 11Pushed 3y ago5 watchersCompare

[ Source](https://github.com/kalessil/production-dependencies-guard)[ Packagist](https://packagist.org/packages/kalessil/production-dependencies-guard)[ RSS](/packages/kalessil-production-dependencies-guard/feed)WikiDiscussions master Synced 1mo ago

READMEChangelogDependenciesVersions (1)Used By (2)

production-dependencies-guard
=============================

[](#production-dependencies-guard)

Prevents development packages from being added into `require` and getting into production environment. In practical field prevents e.g. debug tool-bars deployment into production environments.

Additionally, you can configure the guard to decline packages with missing/unfit license, abandoned or mentioning `debug`in description and analyze packages on basis of composer.lock (deeper analysis).

Installation
============

[](#installation)

`composer require --dev kalessil/production-dependencies-guard:dev-master`

Configuration
=============

[](#configuration)

Additional guard checks can be enabled in the top-level composer.json file:

```
{
    "name": "...",

    "extra": {
        "production-dependencies-guard": [
            "check-lock-file",
            "check-description",
            "check-license",
            "check-abandoned",

            "white-list:vendor/package-one",
            "white-list:vendor/package-two",

            "accept-license:MIT",
            "accept-license:proprietary"
        ]
    }
}

```

- `white-list:...` adds a package to white-list, so it's not getting reported in spite of violations
- `check-lock-file` uses composer.lock instead of composer.json, allowing deeper dependencies analysis
- `check-description` enables description and keywords analysis (searches `debug`), allowing to detect custom dev-packages
- `check-abandoned` enables abandoned packages checking
- `check-license` enables license checking (packages must provide license information)
- `accept-license:...` specifies which licenses should be accepted (if the setting omitted, any license incl. proprietary)

Usage
=====

[](#usage)

When the package is added to require-dev section of your `composer.json` file (`"kalessil/production-dependencies-guard": "dev-master"`), it'll **prevent adding dev-packages into `require` section**. Since dev-packages has no security guaranties (not intended for production use, only development purposes), this also improves your application security.

```
composer require --dev kalessil/production-dependencies-guard:dev-master

composer require phpunit/phpunit:*
# it should be `composer require --dev phpunit/phpunit:*` here

```

will run with an error (profit!):

```
./composer.json has been updated

Installation failed, reverting ./composer.json to its original content.

[RuntimeException]
  Dependencies guard has found violations in require-dependencies (source: manifest):
   - phpunit/phpunit: dev-package-name

```

Stability
=========

[](#stability)

This package is only available in its `dev-master` version: according to the package purpose.

###  Health Score

31

—

LowBetter than 68% of packages

Maintenance19

Infrequent updates — may be unmaintained

Popularity52

Moderate usage in the ecosystem

Community15

Small or concentrated contributor base

Maturity29

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/1c7ee7a2ebbc03dd1ad30a9e74404afde33198edaa81f890c14dd4fac181686e?d=identicon)[kalessil](/maintainers/kalessil)

---

Top Contributors

[![kalessil](https://avatars.githubusercontent.com/u/1577185?v=4)](https://github.com/kalessil "kalessil (36 commits)")

### Embed Badge

![Health badge](/badges/kalessil-production-dependencies-guard/health.svg)

```
[![Health](https://phpackages.com/badges/kalessil-production-dependencies-guard/health.svg)](https://phpackages.com/packages/kalessil-production-dependencies-guard)
```

###  Alternatives

[bitpoke/stack-mu-plugin

WordPress must-use plugin for Stack

1219.5k](/packages/bitpoke-stack-mu-plugin)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)