composer.json
PHP Composer configuration file
| Type | object |
|---|---|
| File match |
composer.json
|
| Schema URL | https://catalog.lintel.tools/schemas/schemastore/composer-json/latest.json |
| Source | https://getcomposer.org/schema.json |
Validate with Lintel
npx @lintel/lintel checkProperties
Package name, including 'vendor-name/' prefix.
Short package description.
License name. Or an array of license names.
Package type, either 'library' for common packages, 'composer-plugin' for plugins, 'metapackage' for empty packages, or a custom type ([a-z0-9-]+) defined by whatever project this package applies to.
Indicates whether this package has been abandoned, it can be boolean or a package name/URL pointing to a recommended alternative. Defaults to false.
Package version, see https://getcomposer.org/doc/04-schema.md#version for more info on valid schemes.
Internal use only, do not specify this in composer.json. Indicates whether this version is the default branch of the linked VCS repository. Defaults to false.
A set of string or regex patterns for non-numeric branch names that will not be handled as feature branches.
Relative path to the readme document.
Package release date, in 'YYYY-MM-DD', 'YYYY-MM-DD HH:MM:SS' or 'YYYY-MM-DDTHH:MM:SSZ' format.
List of authors that contributed to the package. This is typically the main maintainers, not the full list.
Homepage URL for the project.
10 nested properties
Email address for support.
URL to the issue tracker.
URL to the forum.
URL to the wiki.
IRC channel for support, as irc://server/channel.
URL to the support chat.
URL to browse or download the sources.
URL to the documentation.
URL to the RSS feed.
URL to the vulnerability disclosure policy (VDP).
A list of options to fund the development and maintenance of the package.
4 nested properties
5 nested properties
A key to store comments in
This is an object of package name (keys) and version constraints (values) that are required to run this package.
This is an object of package name (keys) and version constraints (values) that this package requires for developing it (testing tools and such).
This is an object of package name (keys) and version constraints (values) that can be replaced by this package.
This is an object of package name (keys) and version constraints (values) that conflict with this package.
This is an object of package name (keys) and version constraints (values) that this package provides in addition to this package's name.
This is an object of package name (keys) and descriptions (values) that this package suggests work well with it (this will be suggested to the user during installation).
A set of additional repositories where packages can be found.
The minimum stability the packages must have to be install-able. Possible values are: dev, alpha, beta, RC, stable.
If set to true, stable packages will be preferred to dev packages when possible, even if the minimum-stability allows unstable packages.
Description of how the package can be autoloaded.
5 nested properties
This is an object of namespaces (keys) and the directories they can be found in (values, can be arrays of paths) by the autoloader.
This is an object of namespaces (keys) and the PSR-4 directories they can map to (values, can be arrays of paths) by the autoloader.
This is an array of paths that contain classes to be included in the class-map generation process.
This is an array of files that are always required on every request.
This is an array of patterns to exclude from autoload classmap generation. (e.g. "exclude-from-classmap": ["/test/", "/tests/", "/Tests/"]
Description of additional autoload rules for development purpose (eg. a test suite).
4 nested properties
This is an object of namespaces (keys) and the directories they can be found into (values, can be arrays of paths) by the autoloader.
This is an object of namespaces (keys) and the PSR-4 directories they can map to (values, can be arrays of paths) by the autoloader.
This is an array of paths that contain classes to be included in the class-map generation process.
This is an array of files that are always required on every request.
DEPRECATED: Forces the package to be installed into the given subdirectory path. This is used for autoloading PSR-0 packages that do not contain their full path. Use forward slashes for cross-platform compatibility.
DEPRECATED: A list of directories which should get added to PHP's include path. This is only present to support legacy projects, and all new code should preferably use autoloading.
A set of files, or a single file, that should be treated as binaries and symlinked into bin-dir (from config).
Options for creating package archives for distribution.
2 nested properties
A base name for archive.
A list of patterns for paths to exclude or include if prefixed with an exclamation mark.
Settings for PHP extension packages.
9 nested properties
If specified, this will be used as the name of the extension, where needed by tooling. If this is not specified, the extension name will be derived from the Composer package name (e.g. vendor/name would become ext-name). The extension name may be specified with or without the ext- prefix, and tools that use this must normalise this appropriately.
This is used to add a prefix to the INI file, e.g. 90-xdebug.ini which affects the loading order. The priority is a number in the range 10-99 inclusive, with 10 being the highest priority (i.e. will be processed first), and 99 being the lowest priority (i.e. will be processed last). There are two digits so that the files sort correctly on any platform, whether the sorting is natural or not.
Does this package support Zend Thread Safety
Does this package support non-Thread Safe mode
If specified, this is the subdirectory that will be used to build the extension instead of the root of the project.
An array of OS families to mark as compatible with the extension. Specifying this property will mean this package is not installable with PIE on any OS family not listed here. Must not be specified alongside os-families-exclude.
An array of OS families to mark as incompatible with the extension. Specifying this property will mean this package is installable on any OS family except those listed here. Must not be specified alongside os-families.
These configure options make up the flags that can be passed to ./configure when installing the extension.
Composer options.
59 nested properties
This is an object of package name (keys) and version (values) that will be used to mock the platform packages on this machine, the version can be set to false to make it appear like the package is not present.
This is an object of {"pattern": true|false} with packages which are allowed to be loaded as plugins, or true to allow all, false to allow none. Defaults to {} which prompts when an unknown plugin is added.
The timeout in seconds for process executions, defaults to 300 (5mins).
If true, the Composer autoloader will also look for classes in the PHP include path.
When running Composer in a directory where there is no composer.json, if there is one present in a directory above Composer will by default ask you whether you want to use that directory's composer.json instead. One of: true (always use parent if needed), false (never ask or use it) or "prompt" (ask every time), defaults to prompt.
The install method Composer will prefer to use, defaults to auto and can be any of source, dist, auto, or an object of {"pattern": "preference"}.
Security audit and version blocking configuration options
8 nested properties
Whether abandoned packages should be ignored, reported as problems or cause an audit failure. Applies only to audit reports, not to version blocking.
Whether filtered packages should be ignored, reported as problems or cause an audit failure. Applies only to audit reports, not to version blocking.
Whether repositories that are unreachable or return a non-200 status code should be ignored or not. Applies only to the composer audit command, does not affect audit report summaries in other commands or version blocking.
Whether insecure versions should be blocked during a composer update/require command or not.
Whether abandoned packages should be blocked during a composer update/require command or not. Applies only if blocking of insecure versions is enabled.
Filter list configuration options. Set to true to enable with defaults, to false to fully disable, or configure with an object.
3 nested properties
Whether filter list sources that are unreachable or return a non-200 status code should be ignored.
Packages to exempt from filtering. Each item can be a package name string, a {"vendor/package": "constraint"} object, or a detailed object with package, constraint, reason, and apply fields.
Additional sources to fetch filter list data from.
Composer allows repositories to define a notification URL, so that they get notified whenever a package from that repository is installed. This option allows you to disable that behaviour, defaults to true.
If true (default), Composer will fall back to a different installation source (e.g., from dist to source or vice versa) when a download fails. Set to false to disable this behavior.
A list of protocols to use for github.com clones, in priority order, defaults to ["https", "ssh", "git"].
An object of domain name => github API oauth tokens, typically {"github.com":"
An object of domain name => gitlab API oauth tokens, typically {"gitlab.com":{"expires-at":"
An object of domain name => gitlab private tokens, typically {"gitlab.com":"
A protocol to force use of when creating a repository URL for the source value of the package metadata. One of git or http. By default, Composer will generate a git URL for private repositories and http one for public repos.
An object of domain name => bearer authentication token, for example {"example.com":"
Custom HTTP headers for specific domains.
An object of domain name => forgejo username/access token, typically {"codeberg.org":{"username": "
Defaults to false. If set to true all HTTPS URLs will be tried with HTTP instead and no network level encryption is performed. Enabling this is a security risk and is NOT recommended. The better way is to enable the php_openssl extension in php.ini.
Defaults to true. If set to true only HTTPS URLs are allowed to be downloaded via Composer. If you really absolutely need HTTP access to something then you can disable it, but using "Let's Encrypt" to get a free SSL certificate is generally a better alternative.
A list of domains which should be trusted/marked as using a secure Subversion/SVN transport. By default svn:// protocol is seen as insecure and will throw. This is a better/safer alternative to disabling secure-http altogether.
A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically.
If cafile is not specified or if the certificate is not found there, the directory pointed to by capath is searched for a suitable certificate. capath must be a correctly hashed certificate directory.
An object of domain name => {"username": "...", "password": "..."}.
An object of domain name => {"local_cert": "...", "local_pk"?: "...", "passphrase"?: "..."} to provide client certificate.
What to do after prompting for authentication, one of: true (store), false (do not store) or "prompt" (ask every time), defaults to prompt.
The location where all packages are installed, defaults to "vendor".
The location where all binaries are linked, defaults to "vendor/bin".
The location where old phar files are stored, defaults to "$home" except on XDG Base Directory compliant unixes.
The location where all caches are located, defaults to "~/.composer/cache" on *nix and "%LOCALAPPDATA%\Composer" on windows.
The location where files (zip downloads) are cached, defaults to "{$cache-dir}/files".
The location where repo (git/hg repo clones) are cached, defaults to "{$cache-dir}/repo".
The location where vcs infos (git clones, github api calls, etc. when reading vcs repos) are cached, defaults to "{$cache-dir}/vcs".
The default cache time-to-live, defaults to 15552000 (6 months).
The cache time-to-live for files, defaults to the value of cache-ttl.
The cache max size for the files cache, defaults to "300MiB".
Whether to use the Composer cache in read-only mode.
The compatibility of the binaries, defaults to "auto" (automatically guessed), can be "full" (compatible with both Windows and Unix-based systems) and "proxy" (only bash-style proxy).
The default style of handling dirty updates, defaults to false and can be any of true, false or "stash".
Optional string to be used as a suffix for the generated Composer autoloader. When null a random one will be generated.
Always optimize when dumping the autoloader.
If false, the composer autoloader will not be prepended to existing autoloaders, defaults to true.
If true, the composer autoloader will not scan the filesystem for classes that are not found in the class map, defaults to false.
If true, the Composer autoloader will check for APCu and use it to cache found/not-found classes when the extension is enabled, defaults to false.
A list of domains to use in github mode. This is used for GitHub Enterprise setups, defaults to ["github.com"].
Defaults to true. If set to false, the OAuth tokens created to access the github API will have a date instead of the machine hostname.
A list of domains to use in gitlab mode. This is used for custom GitLab setups, defaults to ["gitlab.com"].
A list of domains to use in forgejo mode. This is used for custom Forgejo setups, defaults to ["codeberg.org"].
An object of domain name => {"consumer-key": "...", "consumer-secret": "..."}.
Defaults to true. If set to false, globally disables the use of the GitHub API for all GitHub repositories and clones the repository as it would for any other repository.
The default archiving format when not provided on cli, defaults to "tar".
The default archive path when not provided on cli, defaults to ".".
Defaults to true. If set to false, Composer will not create .htaccess files in the composer home, cache, and data directories.
Defaults to false. If set to true, Composer will sort packages when adding/updating a new dependency.
Defaults to true. If set to false, Composer will not create a composer.lock file.
Defaults to "php-only" which checks only the PHP version. Setting to true will also check the presence of required PHP extensions. If set to false, Composer will not create and require a platform_check.php file as part of the autoloader bootstrap.
Defaults to false and can be any of true, false, "dev" or "no-dev". If set to true, Composer will run the bump command after running the update command. If set to "dev" or "no-dev" then only the corresponding dependencies will be bumped.
Defaults to false. If set to true, Composer will allow install when lock file is not up to date with the latest changes in composer.json.
Defaults to false. If set to true, Composer will only perform absolutely necessary changes to transitive dependencies during update.
Arbitrary extra data that can be used by plugins, for example, package of type composer-plugin may have a 'class' key defining an installer class name.
Script listeners that will be executed before/after some events.
16 nested properties
Occurs before the install command is executed, contains one or more Class::method callables or shell commands.
Occurs after the install command is executed, contains one or more Class::method callables or shell commands.
Occurs before the update command is executed, contains one or more Class::method callables or shell commands.
Occurs after the update command is executed, contains one or more Class::method callables or shell commands.
Occurs before the status command is executed, contains one or more Class::method callables or shell commands.
Occurs after the status command is executed, contains one or more Class::method callables or shell commands.
Occurs before a package is installed, contains one or more Class::method callables or shell commands.
Occurs after a package is installed, contains one or more Class::method callables or shell commands.
Occurs before a package is updated, contains one or more Class::method callables or shell commands.
Occurs after a package is updated, contains one or more Class::method callables or shell commands.
Occurs before a package has been uninstalled, contains one or more Class::method callables or shell commands.
Occurs after a package has been uninstalled, contains one or more Class::method callables or shell commands.
Occurs before the autoloader is dumped, contains one or more Class::method callables or shell commands.
Occurs after the autoloader is dumped, contains one or more Class::method callables or shell commands.
Occurs after the root-package is installed, contains one or more Class::method callables or shell commands.
Occurs after the create-project command is executed, contains one or more Class::method callables or shell commands.
Descriptions for custom commands, shown in console help.
Aliases for custom commands.
Definitions
List of authors that contributed to the package. This is typically the main maintainers, not the full list.
Description of how the package can be autoloaded.
This is an object of namespaces (keys) and the directories they can be found in (values, can be arrays of paths) by the autoloader.
This is an object of namespaces (keys) and the PSR-4 directories they can map to (values, can be arrays of paths) by the autoloader.
This is an array of paths that contain classes to be included in the class-map generation process.
This is an array of files that are always required on every request.
This is an array of patterns to exclude from autoload classmap generation. (e.g. "exclude-from-classmap": ["/test/", "/tests/", "/Tests/"]
Filter list configuration for this repository. Set to false to disable filter lists from this repository entirely, or configure with an object.
2 nested properties
Filter lists to use from this repository. Use 'defaults' to include all default lists advertised by the repository, prefix a name with '!' to exclude it, or provide objects for detailed configuration.
[
"defaults"
]Packages to exempt from filtering. Each item can be a package name string, a {"vendor/package": "constraint"} object, or a detailed object with package, constraint, reason, and apply fields.
4 nested properties
Package name, including 'vendor-name/' prefix.
DEPRECATED: Forces the package to be installed into the given subdirectory path. This is used for autoloading PSR-0 packages that do not contain their full path. Use forward slashes for cross-platform compatibility.
List of authors that contributed to the package. This is typically the main maintainers, not the full list.
Description of how the package can be autoloaded.
5 nested properties
This is an object of namespaces (keys) and the directories they can be found in (values, can be arrays of paths) by the autoloader.
This is an object of namespaces (keys) and the PSR-4 directories they can map to (values, can be arrays of paths) by the autoloader.
This is an array of paths that contain classes to be included in the class-map generation process.
This is an array of files that are always required on every request.
This is an array of patterns to exclude from autoload classmap generation. (e.g. "exclude-from-classmap": ["/test/", "/tests/", "/Tests/"]
1 nested properties
A set of files, or a single file, that should be treated as binaries and symlinked into bin-dir (from config).
DEPRECATED: A list of directories which should get added to PHP's include path. This is only present to support legacy projects, and all new code should preferably use autoloading.
4 nested properties
5 nested properties
Packages to exempt from filtering. Each item can be a package name string, a {"vendor/package": "constraint"} object, or a detailed object with package, constraint, reason, and apply fields.