Skip to content

Correctly process composer replace constraints #230

New issue
New issue
Open
Open
Correctly process composer replace constraints#230
Labels
enhancementNew feature or request
@aboks

Description

@aboks
aboks
opened on Jun 6, 2025

The situation:

  • We have a dependency on cebe/php-openapi in a project
  • Our project also uses league/openapi-psr7-validator
  • That validator requires devizzent/cebe-php-openapi, a fork of cebe/php-openapi with support for OpenAPI 3.1 (which is why openapi-psr7-validator uses it). The devizzent/cebe-php-openapi fork indicates its drop-in-compatibility with cebe/php-openapi using a composer replace constraint.

As a consequence, our project that requires cebe/php-openapi ends up with devizzent/cebe-php-openapi in its vendor folder instead. When now running composer-dependency-analyser this gives two errors:

Found 1 shadow dependency!
(those are used, but not listed as dependency in composer.json)
  • devizzent/cebe-php-openapi
      e.g. cebe\openapi\ReferenceContext in <redacted>:221 (+ 78 more)
Found 1 unused dependency!
(those are listed in composer.json, but no usage was found in scanned paths)
  • cebe/php-openapi

It would be great if composer-dependency-analyser could take replace-constraints into account, so that the dependencies are considered valid in such a situation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions