shipmonk/composer-dependency-analyser
Fast, zero-dependency tool to analyze Composer dependencies. Detects unused, shadowed, and misplaced packages/extensions by scanning your autoload paths. Works out of the box, highly configurable, and very performant (15k files in ~2s). Compatible with PHP 7.2–8.5.
Install the package as a dev dependency with composer require --dev shipmonk/composer-dependency-analyser. Run it immediately with vendor/bin/composer-dependency-analyser — no config needed for initial use. It auto-scans autoload and autoload-dev paths from your composer.json, reports shadow, unused, and misplaced dependencies out of the box. Start with the default console output to identify obvious issues (e.g., unused packages like nette/utils or dev dependencies used in production code). Use --help or vendor/bin/composer-dependency-analyser --dump-usages vendor/package to investigate specific reports.
Integrate into CI workflows to fail builds on dependency issues (composer check:deps → composer-dependency-analyser). Add a composer-dependency-analyser.php config file in your project root to fine-tune ignored errors per path/package/extension, adjust scanned paths, or disable extension analysis. Use --format=junit for CI integration and visual dashboards. Leverage --dump-usages=* to verify false positives or understand why a dependency is flagged. For projects using DIC config files (YAML, NEON), extract class references via regex or manual parsing into addForceUsedSymbols() to avoid false unused dependency reports.
ignoreErrorsOnPackage or addForceUsedSymbols() to suppress them. Always validate dumps via --dump-usages.ext-* symbols are misreported, ensure your PHP runtime has the extension enabled or use --disable-ext-analysis / $config->disableExtensionsAnalysis()./src vs /src/Controller) take precedence. Confusing prod vs dev categorization can cause misplacement reports — review path scanning logic.--composer-json=path/to/other/composer.json or explicit config.disableReportingUnmatchedIgnores() only after verifying ignore patterns match — unmatched ignores rarely help debugging.setFileExtensions(['php']) and exclude large directories (e.g., vendor, tests). The tool’s 2s scan time assumes typical PHP projects — adjust expectations for truly massive repos.How can I help you explore Laravel packages today?