Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Composer Unused
Assessments

Composer Unused Laravel Package

icanhazstring/composer-unused

composer-unused detects and removes unused Composer dependencies in PHP/Laravel projects. It analyzes your codebase to find packages not referenced, reports what can be safely removed, and helps keep composer.json/lock lean and maintainable.

View on GitHub
Deep Wiki
Context7

Getting Started

Install the package globally or as a dev dependency:

composer require --dev icanhazstring/composer-unused

Run it from your project root:

./vendor/bin/composer-unused

It outputs a list of packages declared in require or require-dev that are not referenced in your code (via use statements, new calls, reflection, or class references). Start by reviewing these to identify candidates for safe removal — especially helpful after refactoring or when onboarding legacy projects.

Implementation Patterns

  • Pre-commit / PR Checks: Integrate into CI (e.g., GitHub Actions, GitLab CI) using --format=json or --exit-code=1 to fail the build if unused deps are detected.
  • Audit Workflows: Run locally before tagging releases or during quarterly dependency reviews. Use --with-dev to include dev dependencies in the scan.
  • Autoloading-aware Scanning: Leverages Composer’s autoload maps (vendor/composer/autoload_classmap.php, psr-4, etc.) — no manual config needed for standard layouts.
  • Project Integration: Wrap in a custom script in composer.json: 
    "scripts": {
  "audit:deps": "composer-unused --format=table --with-dev"
}
  • Team Notifications: Pipe results to Slack/email in CI using structured output (e.g., JSON → markdown summary).

Gotchas and Tips

  • False Negatives: May miss usages via dynamic class_exists(), string-based references (new $className), or runtime-generated code (e.g., Symfony’s proxy classes). Always manually verify borderline cases.
  • Dev Dependencies: Use --with-dev to avoid overlooking unused dev tools (e.g., phpunit, phpstan) — often forgotten until removed accidentally.
  • Output Formatting: Use --format=summary for high-level CI logs; --format=json for tools parsing results.
  • Exclusion Rules: Add ignore blocks in composer-unused.yaml config (create with vendor/bin/composer-unused --init) to exclude known false positives (e.g., packages only used in tests or scripts).
  • Performance: Scans scale linearly with codebase size. Add .php-cs-fixer.cache to exclusions if it exists — the scanner respects .gitignore and common exclusions automatically.
  • Reflection Edge Cases: For packages interacting with internals (e.g., Doctrine, Symfony components), verify via vendor/bin/composer-unused -vvv to see debug logs about missing references.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport