Metadata Minifier Laravel Package
composer/metadata-minifier
Utility library for Composer 2.x repository metadata. Minifies package version arrays into diffs and expands minified metadata back to the original structure, reducing JSON size and improving transfer efficiency. Includes simple static minify/expand APIs.
Getting Started
Start by installing the package via Composer:
composer require --dev composer/metadata-minifier
Run the minifier directly on your composer.lock:
vendor/bin/composer-metadata-minifier
By default, it reads composer.lock from the current directory and overwrites it with the minified version. For CI or pre-commit use, pipe input/output or specify paths explicitly:
vendor/bin/composer-metadata-minifier path/to/composer.lock --output=path/to/minified.lock
Your first use case: run it locally after composer update to see how much metadata bloat is being removed and verify the reduced diff in version control.
Implementation Patterns
-
CI Integration: Add a
metadata:minifyscript tocomposer.json, then call it in CI after dependency resolution (e.g., aftercomposer install), ensuring only minified lockfiles are committed:"scripts": { "metadata:minify": "vendor/bin/composer-metadata-minifier" }In CI:
composer run metadata:minify && git add composer.lock -
Pre-commit Hook: Use Husky (JavaScript) or
pre-commit(Python) to auto-run minification before committing lockfile changes — avoid accidental uncompressed metadata leaks. -
CI Workflow with Output Validation: Have CI compare minified lockfiles against the committed version. If they differ, fail the build and instruct developers to run the minifier before pushing:
vendor/bin/composer-metadata-minifier --output=cmp.lock && diff composer.lock cmp.lock && rm cmp.lock -
Team Standardization: Commit a
composer.minify.jsonconfig file to define which fields to preserve (via--preserveoption), enforcing consistent metadata conventions across environments.
Gotchas and Tips
-
Irreversible Operation: Minification is destructive — once fields like
source.sha,dist-sha256, orextraare stripped, they’re gone. Always run it after dependency resolution, not beforecomposer install/update. Never minifycomposer.json. -
Diff Fidelity: While it reduces noise, some fields (e.g.,
time,source.reference,dist.reference) are preserved for correctness. Confirm minified diffs still show only meaningful changes. -
Git Conflicts: When using this in CI, avoid merging unminified lockfiles (from local dev without the minifier) into minified branches — expect frequent conflicts. Enforce minifier usage in local workflows via pre-commit hooks.
-
Config Flexibility: Though minimal, the tool supports a config file (
.composer-metadata-minifier.jsonor similar) to preserve optional keys. Check output of--helpfor--preserve=...usage if your setup relies on niche metadata (e.g., customextrafields). -
Staleness Warning: Last release was in 2021; verify compatibility with modern Composer v2/v3 behavior. Run
composer diagnoseafter minification to confirm lockfile integrity. For newer setups, consider whether this is superseded bycomposer install --no-dev --optimize-autoloader+ modern lockfile behavior.
How can I help you explore Laravel packages today?