Skip to content

Automated Dependency Updates for Composer

Renovate supports updating Composer dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)([\w-]*)composer\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: git-tags, packagist.

Additional Information

Extracts dependencies from composer.json files, and keeps the associated composer.lock file updated too.

If you use VCS repositories then Renovate needs a hint via the name property, which must match the relevant package. For example, the package acme/foo would need an entry in repositories similar to the following:

{
  "name": "acme/foo",
  "type": "vcs",
  "url": "http://vcs-of-acme.org/acme/foo.git"
}

Open feature requests

  • Composer/Packagist: support platform compatibility during lookup #2355
  • not all symfony packages updated #3558
  • Composer: Support stability constraints for packages #4542
  • Execute composer config http-basic before run main script #5119
  • Support specifying composer options #6295
  • Composer local package support #8176
  • Composer global configuration #11980
  • Automated updates for config.platform.php field in composer #13676

Open bug reports

  • lockfile maintenance with composer is broken when config.platform.php is set #4396
  • Renovate attempts to downgrade a Composer package #6899
  • Composer private repositories not working #10691
  • Outdated dependency blocks advertised Composer update #11936

The above list of features and bugs were current when this page was generated on August 15, 2022.