Automated Dependency Updates for Composer

Renovate supports updating Composer dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)([\w-]*)composer\.json$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: git-tags, packagist.

Additional Information

Extracts dependencies from composer.json files, and keeps the associated composer.lock file updated too.

If you use VCS repositories then Renovate needs a hint via the name property, which must match the relevant package. For example, the package acme/foo would need an entry in repositories similar to the following:

{
  "name": "acme/foo",
  "type": "vcs",
  "url": "http://vcs-of-acme.org/acme/foo.git"
}

Open feature requests

• Composer/Packagist: support platform compatibility during lookup #2355
• not all symfony packages updated #3558
• Composer: Support stability constraints for packages #4542
• Execute composer config http-basic before run main script #5119
• Support specifying composer options #6295
• Composer local package support #8176
• Composer global configuration #11980
• Automated updates for config.platform.php field in composer #13676

Open bug reports

• lockfile maintenance with composer is broken when config.platform.php is set #4396
• Renovate attempts to downgrade a Composer package #6899
• Composer private repositories not working #10691
• Outdated dependency blocks advertised Composer update #11936

The above list of features and bugs were current when this page was generated on August 15, 2022.