README

Artisan (Laravel) command to inspect Composer packages against Packagist and help update composer.json.

Features

• List installed packages and their installed versions
• Show latest versions available on Packagist
• Show which packages are outdated
• Propose updates to composer.json and optionally run composer update

Installation

Require the package via Composer:

composer require pixovoid/packagist-version-checker

Quick setup for development

composer install
composer test

Usage examples

• Check a single package:

php artisan packagist:check vendor/name

• Check all requirements from composer.json:

php artisan packagist:check --composer

• Check installed packages (reads composer.lock / vendor):

php artisan packagist:check --installed

• Show only outdated packages:

php artisan packagist:check --installed --outdated

• Propose updates to composer.json (dry run):

php artisan packagist:check --composer --update --dry-run

• Apply updates to composer.json and run composer update:

php artisan packagist:check --composer --update --apply

Options

• --composer : Read packages from local composer.json require/require-dev
• --installed: Read installed packages from composer.lock or vendor/composer
• --outdated: Show only packages that are outdated
• --include-prereleases: Consider prerelease tags (use Latest (any) for outdated checks)
• --update: Propose updates in composer.json
• --update-all: Shortcut for --composer --update
• --apply: After updating composer.json, run composer update to install new versions
• --dry-run: Do not write changes to composer.json
• --no-dev: Exclude require-dev when reading/updating

Behaviour & notes

• The command compares installed/required versions with the latest stable versions on Packagist and proposes constraints using a ^<latest-stable> heuristic.
• Pre-release tags (for example 1.2.3-beta) are treated conservatively and are not used to form constraints by default.
  • Use --include-prereleases to make the command consider prerelease tags when determining whether a package is "outdated" (it will compare against the Latest (any) column which may include prerelease tags).
  • Note: As of this release the --include-prereleases flag affects only the outdated detection and filtering. The --update proposal logic still forms ^<latest-stable> constraints by default. If you want updates proposed/applied based on prereleases too, enable that explicitly (I can add that behavior on request).
• The tool creates a timestamped backup of composer.json before writing (e.g. composer.json.bak.20251231235959).
• Network requests use a short timeout and a small retry/backoff strategy; Packagist responses are validated before use.

Requirements

• PHP: ^8.4

Dependencies

• Runtime: illuminate/support (as declared in composer.json)
• Network and version handling: symfony/http-client (used for Packagist requests)
• Semver comparisons: composer/semver (used when available for robust comparisons)

Development & testing

Install dependencies and run tests:

composer install
composer test

To run the command locally while developing the package, register it in your application or run it from a Laravel app that includes this package via path repository.

Security & disclaimer

• This package is provided "as is" without warranties. Use at your own risk. The author and contributors are not liable for damages resulting from its use.
• Always review proposed composer.json changes and test them in a safe environment before applying to production. The command creates backups automatically.

Support & Contributing

Report issues or feature requests on GitHub: https://github.com/PixoVoid/packagist-version-checker/issues

Contributions are welcome. Please open pull requests against the main branch and follow the project's coding standards.

License

MIT — see the LICENSE file for details.

Implementation Notes

• HttpClient DI: The package binds Symfony\Contracts\HttpClient\HttpClientInterface in the service provider so the CheckPackagist command receives a client instance via constructor injection. This makes the command easy to test and lets applications provide custom HTTP client configuration.
• Streaming & Memory: Packagist responses are read in a defensive way: the command checks the Content-Length header and streams responses in small chunks (with a hard safety limit of 1 MB) to avoid exhausting PHP memory. For environments that still encounter large compressed responses, the command temporarily raises memory_limit during execution as a pragmatic fallback.
• Atomic Writes: When proposing and applying composer.json updates the command creates a timestamped backup and uses a temp file + exclusive lock + atomic rename() to avoid corrupting composer.json on failure.
• Semver policy: The default behavior is conservative — pre-release tags are ignored when forming ^<version> constraints. Handling for 0.x packages and configurable constraint policies are TODOs (see project TODO list).
• Testing: Unit tests mock HttpClientInterface and exercise fetchPackage() logic. Reflection-based access was replaced with a small test subclass to avoid PHP 8.5 deprecation warnings.

Debugging & Troubleshooting

• If you see an OOM (out-of-memory) error when running the command against many or very large packages, try running with a higher memory limit:

php -d memory_limit=512M artisan packagist:check --installed --outdated

• For verbose diagnostic output use the -v flag. The command emits information about HTTP status, retry timing and when responses are skipped because they exceed the safety limit.

Publishing Notes

• Package name: pixovoid/packagist-version-checker (update composer.json author/description if required before publishing).
• Recommended pre-publish checklist: run composer test, add a GitHub Actions workflow to run tests on push/PR, and consider running phpstan for static checks.