PHPackages terminal42/composer-lock-validator - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. terminal42/composer-lock-validator ActiveLibrary terminal42/composer-lock-validator ================================== A library to validate a composer.lock file against your local Composer instance 1.1.2(11mo ago)4701↓50%1MITPHPPHP ^8.1CI passing Since Apr 16Pushed 11mo ago2 watchersCompare [ Source](https://github.com/terminal42/composer-lock-validator)[ Packagist](https://packagist.org/packages/terminal42/composer-lock-validator)[ GitHub Sponsors](https://github.com/terminal42)[ Fund](https://ko-fi.com/terminal42)[ RSS](/packages/terminal42-composer-lock-validator/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (7)Dependencies (5)Versions (8)Used By (1) Composer lock file validator ---------------------------- [](#composer-lock-file-validator) This library allows to compare a given `composer.lock` file against your local Composer instance. You can use it to e.g. ensure a provided `composer.lock` does not contain any foreign packages (not required by your Composer instance - aka `composer.json`) or package URLs that have been tampered with. It also detects removed packages that should be present. Usage: ``` use \Terminal42\ComposerLockValidator\Validator; use \Terminal42\ComposerLockValidator\ValidationException; $composerLock = [ 'content-hash' => '...', 'packages' => [...] 'packages-dev' => [...] ]; // You can either pass an already existing Composer instance $validator = Validator::createFromComposer($composer); // Or provide a path to your composer.json $validator = Validator::createFromComposerJson($pathToComposerJson); try { $validator->validate($composerLock); } catch (ValidationException $exception) { echo 'Invalid: ' . $exception->getMessage(); } echo 'Valid!'; ``` ### Partial validation / validation against existing `composer.lock` [](#partial-validation--validation-against-existing-composerlock) When you run `composer update` as a partial update (e.g. `composer update --with-dependencies`), Composer will not update the `composer.lock` information of all the other packages. Hence, validating will probably fail because one of the other packages have experienced metadata updates in the meantime (new URL, probably `abandoned`, different `branch-aliases` etc.). In such a case, you might want to add your already existing `composer.lock` file as additional source of truth. Every package in the `composer.lock` you want to validate then has to either match the metadata of the repositories or the entry of an already existing `composer.lock`. Simply pass the data of the existing `composer.lock` as second argument: ``` use \Terminal42\ComposerLockValidator\Validator; use \Terminal42\ComposerLockValidator\ValidationException; $composerLock = [ 'content-hash' => '...', 'packages' => [...] 'packages-dev' => [...] ]; $alreadyExistingComposerLockITrust = [ 'content-hash' => '...', 'packages' => [...] 'packages-dev' => [...] ]; // You can either pass an already existing Composer instance $validator = Validator::createFromComposer($composer); // Or provide a path to your composer.json $validator = Validator::createFromComposerJson($pathToComposerJson); try { $validator->validate($composerLock, $alreadyExistingComposerLockITrust); } catch (ValidationException $exception) { echo 'Invalid: ' . $exception->getMessage(); } echo 'Valid!'; ``` ### Health Score 35 — LowBetter than 80% of packages Maintenance52 Moderate activity, may be stable Popularity17 Limited adoption so far Community11 Small or concentrated contributor base Maturity51 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~10 days Recently: every ~5 days Total 7 Last Release 334d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/1073273?v=4)[Andreas Schempp](/maintainers/aschempp)[@aschempp](https://github.com/aschempp) ![](https://avatars.githubusercontent.com/u/481937?v=4)[Yanick Witschi](/maintainers/Toflar)[@Toflar](https://github.com/Toflar) --- Top Contributors [![Toflar](https://avatars.githubusercontent.com/u/481937?v=4)](https://github.com/Toflar "Toflar (20 commits)") ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/terminal42-composer-lock-validator/health.svg) ``` [![Health](https://phpackages.com/badges/terminal42-composer-lock-validator/health.svg)](https://phpackages.com/packages/terminal42-composer-lock-validator) ``` ### Alternatives [vimeo/psalm A static analysis tool for finding errors in PHP applications 5.8k77.5M6.7k](/packages/vimeo-psalm)[phan/phan A static analyzer for PHP 5.6k11.2M1.1k](/packages/phan-phan)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[drupal/core Drupal is an open source content management platform powering millions of websites and applications. 19562.3M1.3k](/packages/drupal-core)[statamic/cms The Statamic CMS Core Package 4.8k3.2M720](/packages/statamic-cms)[humbug/box Fast, zero config application bundler with PHARs. 1.3k801.5k69](/packages/humbug-box) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)