Skip to content

Automated Dependency Updates for Composer

Renovate supports updating Composer dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)([\w-]*)composer\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: git-tags, packagist.

Default config

  "fileMatch": [
  "versioning": "composer"

Additional Information

Extracts dependencies from composer.json files, and keeps the associated composer.lock file updated too.

If you use VCS repositories then Renovate needs a hint via the name property, which must match the relevant package. For example, the package acme/foo would need an entry in repositories similar to the following:

  "name": "acme/foo",
  "type": "vcs",
  "url": ""

Open feature requests

  • Composer/Packagist: support platform compatibility during lookup #2355
  • not all symfony packages updated #3558
  • Composer: Support stability constraints for packages #4542
  • Execute composer config http-basic before run main script #5119
  • Support specifying composer options #6295
  • Composer local package support #8176
  • Support composer packages in repositories with type path #11674
  • Composer global configuration #11980
  • matchPackageTypes #12839
  • Automated updates for config.platform.php field in composer #13676

Open bug reports

  • lockfile maintenance with composer is broken when config.platform.php is set #4396
  • Renovate attempts to downgrade a Composer package #6899
  • Composer private repositories not working #10691
  • Outdated dependency blocks advertised Composer update #11936

The above list of features and bugs were current when this page was generated on December 08, 2022.