Composer Json Validator

Validate and lint PHP Composer composer.json files for structure, dependencies, autoload, and best practices. Use when asked to lint, validate, check, or audit composer.json files, verify PHP project configuration, or ensure Composer quality. Triggers on "lint composer", "validate composer.json", "check php deps", "composer best practices".

Audits

Pass

ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install composer-json-validator

Composer JSON Validator

Validate and lint PHP Composer composer.json files for structure, dependencies, autoload configuration, and best practices.

Commands

lint — Run all lint checks

python3 scripts/composer_json_validator.py lint composer.json
python3 scripts/composer_json_validator.py lint composer.json --strict
python3 scripts/composer_json_validator.py lint composer.json --format json
python3 scripts/composer_json_validator.py lint composer.json --format markdown

dependencies — Inspect require/require-dev

python3 scripts/composer_json_validator.py dependencies composer.json
python3 scripts/composer_json_validator.py dependencies composer.json --format json

scripts — Inspect scripts section

python3 scripts/composer_json_validator.py scripts composer.json
python3 scripts/composer_json_validator.py scripts composer.json --format markdown

validate — Full validation (structure + lint + summary)

python3 scripts/composer_json_validator.py validate composer.json
python3 scripts/composer_json_validator.py validate composer.json --strict --format json

Flags

Flag	Description
`--strict`	Exit code 1 on warnings (CI-friendly)
`--format text`	Human-readable output (default)
`--format json`	Machine-readable JSON
`--format markdown`	Markdown report

Lint Rules (22 checks)

Structure (5)

Valid JSON syntax
Required fields: name, description, type
Valid package name format (vendor/package)
Valid type value (library, project, metapackage, composer-plugin)
license field present and valid SPDX identifier

Dependencies (6)

No duplicate packages across require and require-dev
Version constraints use valid operators (^, ~, >=, etc.)
No dev-only packages in require (phpunit, mockery, etc.)
No wildcard * versions
PHP version constraint present in require
ext-* dependencies are explicit (not *)

Autoload (4)

PSR-4 autoload defined
Namespace ends with \\ (PSR-4 convention)
No duplicate namespaces across autoload entries
autoload-dev separate from autoload

Best Practices (7)

scripts section present
No post-install-cmd/post-update-cmd executing arbitrary URLs
config.sort-packages enabled
minimum-stability explicit when not stable
prefer-stable set when minimum-stability is not stable
No hardcoded absolute paths in autoload
All repository URLs use HTTPS

Exit Codes

Code	Meaning
0	No errors (warnings allowed unless `--strict`)
1	Errors found (or warnings in `--strict` mode)
2	Invalid arguments / file not found

Example Output

composer.json lint results
==========================
[ERROR]   name: Package name must match vendor/package format
[WARN]    dependencies: phpunit/phpunit found in require (should be in require-dev)
[WARN]    autoload: config.sort-packages not enabled
[INFO]    scripts: scripts section present

Summary: 1 error(s), 2 warning(s), 1 info