FOSSA supports PHP projects that use Composer.
We look for and analyze files named composer.json
FOSSA will find any package available on https://packagist.org/
License files will be declared by looking at the license
field in the composer.json file or any other source code related to the package.
If an exact version is not given (i.e. a version range), FOSSA will resolve a dependency to the highest version satisfying the constraint.
Documentation on versioning: Version spec.
composer.lock
file.dev-
, or .x-dev
) are used within a version constraint (not given explicitly), resolving may not work@dev, @stable
, etc.)require
key of composer.json
require
for dependencies. dev dependencies will be ignored (require-dev
, repositories
, replace
will be ignored)