How does this package help Laravel projects manage PHAR-based tools like PHPStan or Psalm?

It lets you install PHAR tools via Composer (e.g., `composer require --dev phar-io/your-plugin`) while avoiding version conflicts with your Laravel project’s dependencies. The package handles downloads, verification, and updates automatically, keeping your dev tools deterministic and reproducible in Laravel’s `vendor/bin` directory.

Will this work with Laravel 9 or 10 (PHP 8.1+) without deprecation warnings?

Yes. The 1.0.2 release fixes Iterator type warnings in PHP 8.1+, so it’s fully compatible with Laravel 9+/10+ without triggering deprecation notices. No additional configuration is needed—just require the package as usual.

Can I use this to replace Laravel Mix’s `composer.phar` or other manual PHAR downloads?

Absolutely. This package is designed for exactly that—replacing ad-hoc PHAR downloads with Composer-managed installs. For Laravel Mix, you’d configure it in your `composer.json` to pull PHAR versions of tools like PHPUnit or PHPStan, ensuring consistency across environments.

How do I integrate this into a Laravel project’s CI/CD pipeline?

Add the Composer plugin to your project’s `composer.json` under `extra.plugins`, then run `composer install` or `composer update`. The PHAR tools will be installed in `vendor/bin` alongside Laravel’s dependencies. No extra Laravel-specific setup is required—it works like any other Composer package.

Does this package support offline or air-gapped Laravel deployments?

Yes. Once PHAR files are downloaded and verified (via Composer’s signature checks), they’re cached locally. This makes it ideal for offline Laravel deployments or environments where external downloads are restricted. Just ensure `composer.lock` is synced across environments.

What happens if Composer’s signature verification fails during a Laravel CI build?

The package relies on Composer’s built-in signature verification. If verification fails, Composer will throw an error (as it normally does for unsigned packages). For CI, you can pre-download PHARs with signatures or use Composer’s `--no-secure-http` flag temporarily, though this weakens security.

Are there any Laravel-specific gotchas when using this with service providers or Artisan commands?

No gotchas, but ensure your Laravel service providers or Artisan commands reference the PHAR tools via `vendor/bin/` (e.g., `require __DIR__.'/../../vendor/bin/phpstan'`). The PHP 8.1+ Iterator fix reduces the risk of runtime errors in custom commands, making it safer for Laravel integrations.

Can I create a custom Composer plugin for Laravel-specific PHAR tools using this package?

Yes. Follow the [three-step guide](https://github.com/phar-io/composer-distributor#create-your-own) to scaffold a plugin, configure `distributor.xml`, and publish it to Packagist. Laravel projects can then install it like any other Composer package, and it will handle PHAR downloads automatically.

How does version pinning work with Laravel’s `composer.lock`? Does it conflict?

Version pinning works as expected—PHAR versions are locked in `composer.lock` just like other dependencies. There’s no conflict with Laravel’s lockfile, but ensure your Laravel project’s `composer.json` explicitly requires the PHAR plugin (e.g., `yournamespace/your-plugin:^1.0`).

What are the alternatives to this package for managing PHAR tools in Laravel?

Alternatives include manually downloading PHARs (risky for consistency) or using tools like `phpbrew` or `phpenv`. However, this package is the most Laravel-friendly option because it integrates seamlessly with Composer’s dependency resolution, `composer.lock`, and Laravel’s `vendor/bin` structure—no extra tooling required.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Composer Distributor Laravel Package

phar-io/composer-distributor

Library to build Composer plugins that install and update PHAR-based tools instead of source code. Ideal for dev utilities like PHPUnit/PHPStan/Psalm: keep installs via Composer while avoiding dependency conflicts by distributing signed PHAR releases.

View on GitHub

Deep Wiki

Context7

Distribute PHAR files via Composer

Frequently asked questions about Composer Distributor

How does this package help Laravel projects manage PHAR-based tools like PHPStan or Psalm?: It lets you install PHAR tools via Composer (e.g., `composer require --dev phar-io/your-plugin`) while avoiding version conflicts with your Laravel project’s dependencies. The package handles downloads, verification, and updates automatically, keeping your dev tools deterministic and reproducible in Laravel’s `vendor/bin` directory.
Will this work with Laravel 9 or 10 (PHP 8.1+) without deprecation warnings?: Yes. The 1.0.2 release fixes Iterator type warnings in PHP 8.1+, so it’s fully compatible with Laravel 9+/10+ without triggering deprecation notices. No additional configuration is needed—just require the package as usual.
Can I use this to replace Laravel Mix’s `composer.phar` or other manual PHAR downloads?: Absolutely. This package is designed for exactly that—replacing ad-hoc PHAR downloads with Composer-managed installs. For Laravel Mix, you’d configure it in your `composer.json` to pull PHAR versions of tools like PHPUnit or PHPStan, ensuring consistency across environments.
How do I integrate this into a Laravel project’s CI/CD pipeline?: Add the Composer plugin to your project’s `composer.json` under `extra.plugins`, then run `composer install` or `composer update`. The PHAR tools will be installed in `vendor/bin` alongside Laravel’s dependencies. No extra Laravel-specific setup is required—it works like any other Composer package.
Does this package support offline or air-gapped Laravel deployments?: Yes. Once PHAR files are downloaded and verified (via Composer’s signature checks), they’re cached locally. This makes it ideal for offline Laravel deployments or environments where external downloads are restricted. Just ensure `composer.lock` is synced across environments.
What happens if Composer’s signature verification fails during a Laravel CI build?: The package relies on Composer’s built-in signature verification. If verification fails, Composer will throw an error (as it normally does for unsigned packages). For CI, you can pre-download PHARs with signatures or use Composer’s `--no-secure-http` flag temporarily, though this weakens security.
Are there any Laravel-specific gotchas when using this with service providers or Artisan commands?: No gotchas, but ensure your Laravel service providers or Artisan commands reference the PHAR tools via `vendor/bin/` (e.g., `require __DIR__.'/../../vendor/bin/phpstan'`). The PHP 8.1+ Iterator fix reduces the risk of runtime errors in custom commands, making it safer for Laravel integrations.
Can I create a custom Composer plugin for Laravel-specific PHAR tools using this package?: Yes. Follow the [three-step guide](https://github.com/phar-io/composer-distributor#create-your-own) to scaffold a plugin, configure `distributor.xml`, and publish it to Packagist. Laravel projects can then install it like any other Composer package, and it will handle PHAR downloads automatically.
How does version pinning work with Laravel’s `composer.lock`? Does it conflict?: Version pinning works as expected—PHAR versions are locked in `composer.lock` just like other dependencies. There’s no conflict with Laravel’s lockfile, but ensure your Laravel project’s `composer.json` explicitly requires the PHAR plugin (e.g., `yournamespace/your-plugin:^1.0`).
What are the alternatives to this package for managing PHAR tools in Laravel?: Alternatives include manually downloading PHARs (risky for consistency) or using tools like `phpbrew` or `phpenv`. However, this package is the most Laravel-friendly option because it integrates seamlessly with Composer’s dependency resolution, `composer.lock`, and Laravel’s `vendor/bin` structure—no extra tooling required.

Popularity trends

Recorded values over time (once-a-day snapshots). May 18, 2026 – Jun 16, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

Favorites

Forks

Score

3.7

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 13

+0.1
Forks

input: 2

+0.1
Open issues + PRs

input: 5

+0.5
Releases

input: 9

+2.7
Recency

input: 977

+0.0
Issue opportunity

input: 3

+0.4
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 3.7

Opportunity

51.6

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

91.7
Contribution need

open_issues + open_prs: 5

3.8
Health factor

archived + recency + open issues

×0.85

Total 51.6

License

NOASSERTION

Last release

Oct 13, 2023

Watchers

Downloads

65K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

cocosmos/filament-sticky-save-bar

patrickbussmann/oauth2-apple

3brs/enterprise-security-bundle

anousss007/vigilance

supportpal/eloquent-model

ardenexal/fhir-models

laravel-at/laravel-image-sanitize

romalytar/yammi-audit-log-laravel

ardenexal/fhir-validation

arshaviras/weather-widget

laravel-chronicle/core

sunchayn/nimbus

daikazu/eloquent-salesforce-objects

unseen-codes/chat

romalytar/yammi-jobs-monitoring-laravel

kisame76/filament-db-table-state

nqxcode/laravel-lucene-search

dpfx/laravel-livewire-wizards

workos/workos-php-laravel

sofa/laravel-global-scope