Composer Validation Analyzer

Analyzer ID	Category	Severity	Time To Fix
composer-validation	✅ Reliability	Critical	10 minutes

What This Checks

• Confirms composer.json exists and contains valid JSON
• Runs composer validate --no-check-publish via a dedicated validator service
• Surfaces Composer’s stderr/stdout to highlight version-constraint or schema issues
• Fails fast when the Composer binary is missing or inaccessible

Why It Matters

• Broken deploys: Invalid composer files block composer install on production servers
• Dependency drift: Mistyped constraints or deprecated fields lead to inconsistent dependency graphs
• Automation: CI/CD pipelines rely on composer validate before publishing packages; this analyzer mirrors that safeguard locally

How to Fix

Quick Fix (5 minutes)

1. Run the same command locally for details:

composer validate --no-check-publish

2. Fix the specific schema errors (e.g., rename psr4 to psr-4, update version constraints).

3. Re-run the analyzer to confirm it passes.

Proper Fix (10 minutes)

1. Schema compliance: Keep composer.json minimal and documented; remove unused packages
2. Automate: Add composer validate to CI before building artifacts
3. Lockfile hygiene: Pair validation with composer update --lock to ensure lock and JSON stay in sync
4. Tooling: Consider composer normalize to standardize ordering and improve diff readability
5. Documentation: Record dependency policy (allowed licenses, stability flags) so contributors adhere to standards

ShieldCI Configuration

This analyzer runs in CI environments by default.

Serverless runtimes (Lambda, Cloud Functions): On serverless platforms where the Composer binary is not installed, the composer validate subprocess is automatically skipped. JSON syntax validation still runs. The analyzer confirms composer.json is valid JSON and has the required structure without invoking the Composer CLI.

When to run this analyzer:

• ✅ Local development: Confirms composer.json is schema-valid before pushing
• ✅ CI/CD pipelines: Catches schema regressions before build artifacts are created
• ✅ Staging/Production servers: Full validation including Composer CLI subprocess (when available)
• ⚠️ Serverless: Partial validation only (JSON syntax, no subprocess)

References

• Composer Schema
• Composer Validate Command
• Composer Normalize

Related Analyzers

• Cache Prefix Configuration Analyzer - Ensures cache prefix is set to avoid collisions
• Cache Status Analyzer - Validates cache connectivity and functionality
• Up-to-Date Migrations Analyzer - Ensures all database migrations are up to date and have been executed