Composer Require Checker Laravel Package

Product Decisions This Supports

• Dependency Hygiene & Risk Mitigation: Enables proactive detection of "soft" (unexplicitly required) dependencies, reducing hidden risks from transitive updates (e.g., breaking changes in guzzlehttp/guzzle due to a major version bump in a direct dependency). Aligns with shift-left security and dependency governance initiatives.
• Build vs. Buy: Buy—avoids reinventing static analysis for dependency validation. Justifies investment in a battle-tested tool (992 stars, MIT license) over custom solutions.
• Roadmap Priorities:
  • Phase 1: Integrate into CI/CD pipelines (e.g., GitHub Actions) to block merges with soft dependencies.
  • Phase 2: Extend to enforce extension requirements (e.g., pdo_mysql) in composer.json via automated PRs.
  • Phase 3: Customize whitelists for legacy codebases (e.g., allow symfony/var-dumper as a soft dependency for debugging).
• Use Cases:
  • Open-Source Projects: Prevents "dependency rot" in libraries consumed by thousands (e.g., thatvendor/api-lib example).
  • Enterprise PHP Apps: Ensures compliance with internal policies (e.g., "all dependencies must be explicitly required").
  • Legacy Codebases: Identifies hidden dependencies before major PHP/Composer upgrades.

When to Consider This Package

• Adopt if:
  • Your project uses Composer and has >50 dependencies (higher risk of transitive issues).
  • You’re upgrading PHP/Composer versions and want to audit for breaking changes.
  • Your team lacks static analysis expertise but needs dependency hygiene.
  • You’re building a library (not an app) and want to avoid "surprise" breakages for downstream users.
• Look Elsewhere if:
  • Your project uses non-PHP languages (this is PHP/Composer-specific).
  • You need runtime dependency validation (use composer validate or phpstan instead).
  • Your team prefers manual reviews over automated checks (though this reduces human error).
  • You rely heavily on custom Composer installers/plugins (workaround required; see README).

How to Pitch It (Stakeholders)

For Executives:

"This tool acts like a 'dependency spellchecker' for PHP projects. Right now, our code might silently rely on libraries we didn’t explicitly install (e.g., guzzlehttp/guzzle pulled in by another package). If that library gets updated unexpectedly, our app could break. ComposerRequireChecker scans our code to flag these risks—preventing costly outages during dependency updates. It’s low-cost (MIT license), widely used (992 stars), and integrates seamlessly with our CI/CD. For a one-time setup, it saves us from future fire drills."

ROI:

• Reduces tech debt from hidden dependencies.
• Lowers upgrade risk (e.g., PHP 8.5 migrations).
• Aligns with security best practices (shift-left dependency validation).

For Engineering Teams:

*"This is a static analysis tool that catches 'soft dependencies'—libraries your code uses but aren’t listed in composer.json. Example: If thatvendor/api-lib pulls in guzzlehttp/guzzle (v2), but your code uses Guzzle v3 features, a major update could break you. The tool:

• Scans your codebase (no runtime overhead).
• Generates actionable reports (e.g., 'Add guzzlehttp/guzzle:^3.0 to composer.json').
• Supports custom configs (whitelist exceptions, scan non-autoloaded files like bin/console).

How to Use:

1. Add to CI (e.g., GitHub Actions):

   - name: Check soft dependencies
     run: php composer-require-checker.phar check composer.json
   

2. Fail builds if soft dependencies are found.
3. Fix issues via PRs or automated scripts.

Trade-offs:

• False positives: Rare, but configurable (e.g., whitelist symfony/var-dumper).
• Xdebug slowdowns: Disable Xdebug for scans (XDEBUG_MODE=off)."*

Key Metrics to Track:

• % of PRs blocked by soft dependencies (goal: >80% caught pre-merge).
• Time saved during dependency upgrades (e.g., "Previously took 2 hours; now 10 minutes").