PHPackages tsmsogn/composer-require-patch-enforcer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. tsmsogn/composer-require-patch-enforcer ActiveComposer-plugin tsmsogn/composer-require-patch-enforcer ======================================= Composer plugin that enforces exact x.y.z versions on composer require (no range operators) 1.0.0(1mo ago)01↑2900%MITPHPPHP >=8.1 Since Apr 1Pushed 1mo agoCompare [ Source](https://github.com/tsmsogn/composer-require-patch-enforcer)[ Packagist](https://packagist.org/packages/tsmsogn/composer-require-patch-enforcer)[ Docs](https://github.com/tsmsogn/composer-require-patch-enforcer)[ RSS](/packages/tsmsogn-composer-require-patch-enforcer/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (1)Dependencies (1)Versions (2)Used By (0) composer-require-patch-enforcer =============================== [](#composer-require-patch-enforcer) A [Composer plugin](https://getcomposer.org/doc/articles/plugins.md) that blocks `composer require` unless each package uses an **exact three-part version** only: `major.minor.patch` with **no range operators** (`^`, `~`, `>=`, `*`, `||`, spaces for compound constraints, etc.). Example: `monolog/monolog:3.5.0`. This pushes root requirements toward explicit pins to reduce accidental wide constraints as part of supply-chain hygiene. Requirements ------------ [](#requirements) - PHP `>= 8.1` - Composer with plugin API `^2.3` (Composer 2.3+) Installation ------------ [](#installation) ### From Packagist (recommended) [](#from-packagist-recommended) After the package is registered on [Packagist](https://packagist.org/), install a **stable release with an exact version** (this matches how this plugin expects root requirements to be written once it is active): ``` composer require tsmsogn/composer-require-patch-enforcer:1.0.0 composer config allow-plugins.tsmsogn/composer-require-patch-enforcer true ``` The **first** time you add this package, the plugin is not in `vendor` yet, so Composer will also accept a range (e.g. `^1.0`) for that single command. After the plugin is installed, further `composer require` calls must use **exact** `x.y.z` for every package on the command line (or use `COMPOSER_REQUIRE_PATCH_ENFORCER_SKIP=1` / `--no-plugins`). Upgrading this plugin to `1.0.1` should look like: `composer require tsmsogn/composer-require-patch-enforcer:1.0.1`. ### Development: VCS or path [](#development-vcs-or-path) From Git (no Packagist): ``` composer config repositories.composer-require-patch-enforcer vcs https://github.com/tsmsogn/composer-require-patch-enforcer.git composer require tsmsogn/composer-require-patch-enforcer:@dev ``` From a local path: ``` composer config repositories.composer-require-patch-enforcer path ../composer-require-patch-enforcer composer require tsmsogn/composer-require-patch-enforcer:@dev ``` If the package is not on Packagist, you may need `minimum-stability` or a stability suffix (e.g. `@dev`) as above. ### Allow the plugin [](#allow-the-plugin) Composer 2.2+ requires you to opt in to plugins: ``` composer config allow-plugins.tsmsogn/composer-require-patch-enforcer true ``` Usage ----- [](#usage) **Every package on the command line** must include a version that matches this pattern (whole string, after trim): - Optional leading `v` - Three numeric segments: `digits.digits.digits` - Nothing else (no stability suffix like `@stable`, no pre-release like `-alpha`) Regex: `^v?\d+\.\d+\.\d+$` ### Accepted examples [](#accepted-examples) ``` composer require monolog/monolog:3.5.0 composer require monolog/monolog:v3.5.0 composer require "vendor/package 1.0.0" ``` ### Rejected examples [](#rejected-examples) ``` composer require monolog/monolog composer require monolog/monolog:^3.5.0 composer require monolog/monolog:~3.5.0 composer require "vendor/package >=1.0.0