PHPackages qbdigitalsoftware/composer-vendor-checker - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. qbdigitalsoftware/composer-vendor-checker ActiveComposer-plugin[Utility & Helpers](/categories/utility) qbdigitalsoftware/composer-vendor-checker ========================================= Composer plugin to check installed packages for available updates v1.0.1(1mo ago)00[1 PRs](https://github.com/qbdigitalsoftware/composer-vendor-checker/pulls)MITPHPPHP >=8.1CI passing Since Apr 20Pushed 1mo agoCompare [ Source](https://github.com/qbdigitalsoftware/composer-vendor-checker)[ Packagist](https://packagist.org/packages/qbdigitalsoftware/composer-vendor-checker)[ Docs](https://github.com/qbdigitalsoftware/composer-vendor-checker)[ RSS](/packages/qbdigitalsoftware-composer-vendor-checker/feed)WikiDiscussions master Synced 1w ago READMEChangelogDependencies (4)Versions (3)Used By (0) Composer Vendor Version Checker =============================== [](#composer-vendor-version-checker) [![Latest Stable Version](https://camo.githubusercontent.com/07431b7c59566dd72726bf44174afe2c2554fc55d4340b7eb802506847661902/68747470733a2f2f706f7365722e707567782e6f72672f71626469676974616c736f6674776172652f636f6d706f7365722d76656e646f722d636865636b65722f762f737461626c65)](https://packagist.org/packages/qbdigitalsoftware/composer-vendor-checker)[![Total Downloads](https://camo.githubusercontent.com/fcdb3f3112fecda6d9d1c18209a7e4df38387880c190958355844ebb2d0d5668/68747470733a2f2f706f7365722e707567782e6f72672f71626469676974616c736f6674776172652f636f6d706f7365722d76656e646f722d636865636b65722f646f776e6c6f616473)](https://packagist.org/packages/qbdigitalsoftware/composer-vendor-checker)[![CI](https://github.com/qbdigitalsoftware/composer-vendor-checker/actions/workflows/ci.yml/badge.svg)](https://github.com/qbdigitalsoftware/composer-vendor-checker/actions/workflows/ci.yml)[![PHP Version Require](https://camo.githubusercontent.com/280393651b343b547699bbc86e1f74a5b3f0c5282b22e3ae05d0e522ca98ca3e/68747470733a2f2f706f7365722e707567782e6f72672f71626469676974616c736f6674776172652f636f6d706f7365722d76656e646f722d636865636b65722f726571756972652f706870)](https://packagist.org/packages/qbdigitalsoftware/composer-vendor-checker)[![License](https://camo.githubusercontent.com/d4efa0be4b558cc16e9564b2550938ca63873b52c8b47a1e7c4a2059f946e3e9/68747470733a2f2f706f7365722e707567782e6f72672f71626469676974616c736f6674776172652f636f6d706f7365722d76656e646f722d636865636b65722f6c6963656e7365)](https://packagist.org/packages/qbdigitalsoftware/composer-vendor-checker) A Composer plugin that checks installed packages for available updates via three sources: **Packagist API** (for explicitly listed packages), **private Composer repositories** (auto-detected from composer.json + auth.json), and **vendor website scraping**. Packages not configured for any source are reported as UNRESOLVED. The Problem This Solves ----------------------- [](#the-problem-this-solves) `composer update` doesn't always show the true latest version of a third-party package. This happens when: - The vendor hasn't pushed the update to Packagist yet - The version available through Composer repositories lags behind the vendor's latest release - The package is distributed via a private Composer repository with restricted access This tool checks **Packagist** (for explicitly configured packages), **private Composer repos** (with auth.json credentials), and **vendor websites** to give you the complete picture. Features -------- [](#features) - Custom Composer command: `composer vendor:check` - **Explicit resolution** — checks packages via configured sources (Packagist list, private repos, vendor websites) - Three version sources: Packagist API, private Composer repos, vendor website scraping - **Result caching** — avoids redundant HTTP calls within a configurable TTL - **Per-package progress** — live progress indicator during checks - **Multiple output formats** — table, JSON, CSV - **File output** — write results directly to a file - Auto-detects private repos from composer.json and authenticates via auth.json - Configurable skip lists — exclude vendors or packages from checks - Cloudflare bot protection detection with clear error messaging - Exit codes for CI/CD: `0` = all current, `1` = updates available, `2` = errors - Concurrent HTTP pre-fetching via Guzzle async for fast checks Installation ------------ [](#installation) ### Via Composer (Recommended) [](#via-composer-recommended) ``` composer require --dev qbdigitalsoftware/composer-vendor-checker ``` ### As a Path Repository [](#as-a-path-repository) ``` composer config repositories.vendor-checker path /path/to/composer-vendor-checker composer require --dev qbdigitalsoftware/composer-vendor-checker ``` ### Verify Installation [](#verify-installation) ``` composer vendor:check --help ``` Usage ----- [](#usage) ### Check All Installed Packages [](#check-all-installed-packages) ``` composer vendor:check ``` Scans `composer.lock` and checks every non-skipped package for updates. Check method is determined by `config/packages.php`: website overrides, private repos (auto-detected), explicit Packagist list, or UNRESOLVED. ### Check Specific Packages [](#check-specific-packages) ``` composer vendor:check --packages=stripe/stripe-payments,amasty/promo ``` ### Check a Single Vendor URL [](#check-a-single-vendor-url) ``` composer vendor:check --url=https://amasty.com/admin-actions-log-for-magento-2.html ``` ### Output Formats [](#output-formats) ``` # Table format (default) composer vendor:check # JSON output composer vendor:check --format=json # CSV output composer vendor:check --format=csv # Legacy JSON alias composer vendor:check --json ``` ### Write to File [](#write-to-file) ``` composer vendor:check --format=csv --output=report.csv composer vendor:check --format=json --output=versions.json ``` ### Caching [](#caching) ``` # Skip cached results (force fresh check) composer vendor:check --no-cache # Clear cache before running composer vendor:check --clear-cache # Custom TTL (seconds) composer vendor:check --cache-ttl=7200 ``` ### Verbose Output [](#verbose-output) ``` composer vendor:check -v ``` ### Custom Lock Path [](#custom-lock-path) ``` composer vendor:check --path=/path/to/project/composer.lock ``` ### Custom Config [](#custom-config) ``` composer vendor:check --config=/path/to/packages.php ``` Command Options --------------- [](#command-options) OptionShortDescription`--path``-p`Path to composer.lock file (default: ./composer.lock)`--packages`-Comma-separated list of packages to check`--url``-u`Single vendor URL to check`--format``-f`Output format: table, json, csv (default: table)`--output``-o`Write results to file path`--json``-j`Alias for --format=json`--no-cache`-Skip reading cached results`--clear-cache`-Clear cache before running`--cache-ttl`-Cache TTL in seconds (default: 3600)`--config``-c`Path to packages.php config file`--verbose``-v`Show detailed outputExample Output -------------- [](#example-output) ``` Checking packages from: ./composer.lock [ 1/24] stripe/stripe-payments packagist OK [ 2/24] klaviyo/magento2-extension packagist UPDATE [ 3/24] xtento/orderexport website OK ... Vendor Version Check Report -------------------------------------------------------------------------- ✓ stripe/stripe-payments Installed: 3.5.0 Latest: 3.5.0 [via Packagist] ↑ klaviyo/magento2-extension Installed: 4.4.2 Latest: 4.5.0 [via Packagist] ✗ amasty/promo Installed: 2.12.0 Latest: Error Error: Cloudflare protection detected — website requires browser verification -------------------------------------------------------------------------- Summary: 15 up-to-date, 6 updates available, 0 ahead, 0 unavailable, 0 unresolved, 3 errors ``` Configuration ------------- [](#configuration) Configuration is optional. Without a config file, packages with no configured source resolve as UNRESOLVED. Use the bundled `config/packages.php` to define Packagist, website, and skip lists. ### Config File Format [](#config-file-format) The plugin reads `config/packages.php` (bundled) or a custom path via `--config`. See `config/packages.php.example` for the full format. Key configuration options: ``` return [ // Website URL overrides — scraped for version info 'package_url_mappings' => [ 'mageplaza/module-smtp' => 'https://www.mageplaza.com/magento-2-smtp/', ], // Packages checked via Packagist API only 'packagist_packages' => [ 'stripe/stripe-payments', 'klaviyo/magento2-extension', ], // Vendor prefixes to skip entirely 'skip_vendors' => [ 'magento', 'laminas', 'symfony', 'monolog', 'psr', 'phpunit', 'guzzlehttp', 'doctrine', ], // Specific packages to skip 'skip_packages' => [ 'vendor/internal-module', ], // Private repo hosts to skip 'skip_hosts' => [ 'repo.magento.com', ], // Host patterns to skip (regex) 'skip_patterns' => [ '/\.satis\./i', ], ]; ``` ### Package Resolution Order [](#package-resolution-order) For each package in `composer.lock`: 1. **Skip** — if vendor is in `skip_vendors` or package is in `skip_packages` 2. **Website** — if package has a URL in `package_url_mappings` 3. **Private Repo** — if package came from a private Composer repo detected in `composer.json` + `auth.json` 4. **Packagist** — if package is in the `packagist_packages` list 5. **Unresolved** — no configured check method (reported as UNRESOLVED) How It Works ------------ [](#how-it-works) 1. **Reads composer.lock** to get all installed packages 2. **Resolves check strategy** for each package via `PackageResolver` 3. **Checks cache** — uses cached results within TTL if available 4. **Pre-fetches URLs** concurrently via Guzzle async for cache misses 5. **Checks each package** using its resolved method (Packagist, private repo, or website) 6. **Stores results** in the result cache 7. **Formats output** via `OutputFormatter` (table, JSON, or CSV) CI/CD Integration ----------------- [](#cicd-integration) ### GitHub Actions [](#github-actions) ``` name: Check Vendor Versions on: schedule: - cron: '0 9 * * 1' workflow_dispatch: jobs: check-versions: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: shivammathur/setup-php@v2 with: php-version: '8.1' - run: composer install - run: composer vendor:check --format=json --output=versions.json - uses: actions/upload-artifact@v4 with: name: version-report path: versions.json ``` ### Exit Codes [](#exit-codes) CodeMeaning0All packages up to date1Updates available2Errors encounteredRequirements ------------ [](#requirements) - PHP 8.1 or higher - Composer 2.x - ext-json - guzzlehttp/guzzle ^6.5 or ^7.0 Running Tests ------------- [](#running-tests) ``` composer install vendor/bin/phpunit ``` Author ------ [](#author) **Carl Simpson — QB Digital Software Ltd** License ------- [](#license) MIT License - see LICENSE file for details ### Health Score 37 — LowBetter than 81% of packages Maintenance90 Actively maintained with recent releases Popularity0 Limited adoption so far Community8 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 75% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 50d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/4ce84bdb6ca174bb70970cc97c3419f9df05d7d32d4140075b06b50797d9243c?d=identicon)[carl-simpson](/maintainers/carl-simpson) --- Top Contributors [![carl-simpson](https://avatars.githubusercontent.com/u/62362507?v=4)](https://github.com/carl-simpson "carl-simpson (24 commits)")[![johnorourke](https://avatars.githubusercontent.com/u/2004038?v=4)](https://github.com/johnorourke "johnorourke (8 commits)") --- Tags composercomposer-pluginmagentoopen-sourcephpvendor-checkercomposermagentoAuditversionvendorsatisupdate-checker ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/qbdigitalsoftware-composer-vendor-checker/health.svg) ``` [![Health](https://phpackages.com/badges/qbdigitalsoftware-composer-vendor-checker/health.svg)](https://phpackages.com/packages/qbdigitalsoftware-composer-vendor-checker) ``` ### Alternatives [ergebnis/composer-normalize Provides a composer plugin for normalizing composer.json. 1.1k40.0M2.6k](/packages/ergebnis-composer-normalize)[mnsami/composer-custom-directory-installer A composer plugin, to help install packages of different types in custom paths. 1465.3M59](/packages/mnsami-composer-custom-directory-installer)[dg/composer-cleaner Victor The Cleaner: removes unnecessary files from vendor directory. 1411.6M30](/packages/dg-composer-cleaner)[typo3/class-alias-loader Amends the composer class loader to support class aliases to provide backwards compatibility for packages 4414.3M25](/packages/typo3-class-alias-loader)[automattic/jetpack-autoloader Creates a custom autoloader for a plugin or theme. 545.9M110](/packages/automattic-jetpack-autoloader)[run-as-root/magento2-prometheus-exporter Magento2 Prometheus Exporter 68353.9k](/packages/run-as-root-magento2-prometheus-exporter) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)