PHPackages                             terminal42/composer-lock-validator - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. terminal42/composer-lock-validator

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

terminal42/composer-lock-validator
==================================

A library to validate a composer.lock file against your local Composer instance

1.1.2(1y ago)4825↓74.1%1MITPHPPHP ^8.1CI passing

Since Apr 16Pushed 1y ago2 watchersCompare

[ Source](https://github.com/terminal42/composer-lock-validator)[ Packagist](https://packagist.org/packages/terminal42/composer-lock-validator)[ GitHub Sponsors](https://github.com/terminal42)[ Fund](https://ko-fi.com/terminal42)[ RSS](/packages/terminal42-composer-lock-validator/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (7)Dependencies (5)Versions (8)Used By (1)

Composer lock file validator
----------------------------

[](#composer-lock-file-validator)

This library allows to compare a given `composer.lock` file against your local Composer instance.

You can use it to e.g. ensure a provided `composer.lock` does not contain any foreign packages (not required by your Composer instance - aka `composer.json`) or package URLs that have been tampered with. It also detects removed packages that should be present.

Usage:

```
use \Terminal42\ComposerLockValidator\Validator;
use \Terminal42\ComposerLockValidator\ValidationException;

$composerLock = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

// You can either pass an already existing Composer instance
$validator = Validator::createFromComposer($composer);
// Or provide a path to your composer.json
$validator = Validator::createFromComposerJson($pathToComposerJson);

try {
    $validator->validate($composerLock);
} catch (ValidationException $exception) {
    echo 'Invalid: ' . $exception->getMessage();
}

echo 'Valid!';
```

### Partial validation / validation against existing `composer.lock`

[](#partial-validation--validation-against-existing-composerlock)

When you run `composer update` as a partial update (e.g. `composer update  --with-dependencies`), Composer will not update the `composer.lock` information of all the other packages. Hence, validating will probably fail because one of the other packages have experienced metadata updates in the meantime (new URL, probably `abandoned`, different `branch-aliases` etc.). In such a case, you might want to add your already existing `composer.lock` file as additional source of truth. Every package in the `composer.lock` you want to validate then has to either match the metadata of the repositories or the entry of an already existing `composer.lock`. Simply pass the data of the existing `composer.lock` as second argument:

```
use \Terminal42\ComposerLockValidator\Validator;
use \Terminal42\ComposerLockValidator\ValidationException;

$composerLock = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

$alreadyExistingComposerLockITrust = [
    'content-hash' => '...',
    'packages' => [...]
    'packages-dev' => [...]
];

// You can either pass an already existing Composer instance
$validator = Validator::createFromComposer($composer);
// Or provide a path to your composer.json
$validator = Validator::createFromComposerJson($pathToComposerJson);

try {
    $validator->validate($composerLock, $alreadyExistingComposerLockITrust);
} catch (ValidationException $exception) {
    echo 'Invalid: ' . $exception->getMessage();
}

echo 'Valid!';
```

###  Health Score

36

—

LowBetter than 79% of packages

Maintenance48

Moderate activity, may be stable

Popularity22

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity51

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~10 days

Recently: every ~5 days

Total

7

Last Release

380d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1073273?v=4)[Andreas Schempp](/maintainers/aschempp)[@aschempp](https://github.com/aschempp)

![](https://avatars.githubusercontent.com/u/481937?v=4)[Yanick Witschi](/maintainers/Toflar)[@Toflar](https://github.com/Toflar)

---

Top Contributors

[![Toflar](https://avatars.githubusercontent.com/u/481937?v=4)](https://github.com/Toflar "Toflar (20 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/terminal42-composer-lock-validator/health.svg)

```
[![Health](https://phpackages.com/badges/terminal42-composer-lock-validator/health.svg)](https://phpackages.com/packages/terminal42-composer-lock-validator)
```

###  Alternatives

[friendsofphp/php-cs-fixer

A tool to automatically fix PHP code style

13.5k251.2M25.3k](/packages/friendsofphp-php-cs-fixer)[composer/composer

Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere.

29.5k196.2M3.1k](/packages/composer-composer)[drupal/core

Drupal is an open source content management platform powering millions of websites and applications.

21866.0M1.7k](/packages/drupal-core)[phpactor/phpactor

PHP refactoring and intellisense tool for text editors

1.9k17.1k1](/packages/phpactor-phpactor)[matomo/matomo

Matomo is the leading Free/Libre open analytics platform

21.7k38.9k](/packages/matomo-matomo)[shopware/platform

The Shopware e-commerce core

3.4k1.5M3](/packages/shopware-platform)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
