PHPackages metasyntactical/composer-plugin-license-check - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. metasyntactical/composer-plugin-license-check ActiveComposer-plugin[Security](/categories/security) metasyntactical/composer-plugin-license-check ============================================= Plugin for Composer to restrict installation of packages to valid licenses. 2.3.0(1y ago)6909.0k—6.6%6[6 PRs](https://github.com/MetaSyntactical/composer-plugin-license-check/pulls)1MITPHPPHP 8.1.\*|8.2.\*|8.3.\*CI passing Since May 28Pushed 5mo ago2 watchersCompare [ Source](https://github.com/MetaSyntactical/composer-plugin-license-check)[ Packagist](https://packagist.org/packages/metasyntactical/composer-plugin-license-check)[ RSS](/packages/metasyntactical-composer-plugin-license-check/feed)WikiDiscussions 2.4.x Synced 1mo ago READMEChangelog (9)Dependencies (5)Versions (28)Used By (1) metasyntactical / composer-plugin-license-check =============================================== [](#metasyntactical--composer-plugin-license-check) This composer plugin allows to define a white- and/or blacklist of licenses packages which will be installed in a project will be validated against. If a forbidden license is found in a package the installation of the particular package will be failed. Additionally a new composer command `check-licenses` is provided to list all packages in the dependencies including their license and if it is allowed to use. How to install -------------- [](#how-to-install) Installation procedure follows the general installation process of packages with composer. Run `composer require metasyntactical/composer-plugin-license-check` to add the package to the `composer.json` and install the package. How to use ---------- [](#how-to-use) The composer plugin reacts on extra variables in the extra-section of the composer.json. ``` { "extra": { "metasyntactical/composer-plugin-license-check": { "allow-list": [], "deny-list": [], "allowed-packages": {} } } } ``` Just specify the allowed or forbidden licenses as array. Use the license identifiers allowed/used in the version-property of the composer.json to be compatible with the general usage. One may specify additional packages which are allowed despite of license violations. As key the package name has to be used (similar to `require` and `require-dev`) and it allows for specifying semantic versioning constraints as value (which currently is not checked!). **Important Note**: This plugin is licensed under MIT license. Even if you forbid to use MIT licensed packages in your project the plugin itself is the only package it would not complain about (otherwise further checking would not work obviously). ### Health Score 56 — FairBetter than 98% of packages Maintenance55 Moderate activity, may be stable Popularity44 Moderate usage in the ecosystem Community19 Small or concentrated contributor base Maturity88 Battle-tested with a long release history Bus Factor1 Top contributor holds 52.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~139 days Recently: every ~104 days Total 22 Last Release 354d ago Major Versions v0.6.0 → v1.0.02020-10-27 v1.1.0 → 2.0.02021-12-25 PHP version history (9 changes)v0.1.0PHP >=7.1.0,<7.2.0 v0.2.0PHP >=7.1.0,<7.3.0 v0.4.0PHP >=7.1.0,<=7.3.3 v0.5.0PHP >=7.1.0,<7.4.0 v0.6.0PHP 7.4.\* v1.0.0PHP 7.3.\* || 7.4.\* 2.0.0PHP 8.0.\* || 8.1.\* 2.1.x-devPHP 8.0.\*|8.1.\*|8.2.\* 2.2.0PHP 8.1.\*|8.2.\*|8.3.\* ### Community Maintainers ![](https://avatars.githubusercontent.com/u/461576?v=4)[Daniel Kreuer](/maintainers/dkreuer)[@dkreuer](https://github.com/dkreuer) --- Top Contributors [![dkreuer](https://avatars.githubusercontent.com/u/461576?v=4)](https://github.com/dkreuer "dkreuer (448 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (399 commits)")[![dinamic](https://avatars.githubusercontent.com/u/11616?v=4)](https://github.com/dinamic "dinamic (1 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (1 commits)")[![makeey](https://avatars.githubusercontent.com/u/23615966?v=4)](https://github.com/makeey "makeey (1 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/metasyntactical-composer-plugin-license-check/health.svg) ``` [![Health](https://phpackages.com/badges/metasyntactical-composer-plugin-license-check/health.svg)](https://phpackages.com/packages/metasyntactical-composer-plugin-license-check) ``` ### Alternatives [mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[drupal/core-vendor-hardening Hardens the vendor directory for when it's in the docroot. 174.5M28](/packages/drupal-core-vendor-hardening)[acmephp/ssl PHP wrapper around OpenSSL extension providing SSL encoding, decoding, parsing and signing features 141.2M4](/packages/acmephp-ssl)[mxr576/ddqg-composer-audit Drupal Dependency Quality Gate Composer Audit plugin 1056.7k2](/packages/mxr576-ddqg-composer-audit)[plan2net/typo3-update-check A Composer plugin that checks for TYPO3 updates and provides detailed information about breaking changes and security updates 204.5k](/packages/plan2net-typo3-update-check) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)