May 13, 2020 by Thibault Debatty | 5339 views
PHP Secure Software Development
https://cylab.be/blog/53/detect-unused-composer-dependencies
If you are using composer to manage the dependencies of your PHP project (and you certainly should), it is very easy to end up using a lot of dependencies. And if your project lives long enough, some (or lots of them) will not be used anymore.
Keeping these unused dependencies has drawbacks:
Luckily, there is an easy solution to detect these unused dependencies: Insolita unused-scanner
composer require --dev insolita/unused-scanner
You will first have to create a configuration file. You can name it unused-scanner.php for example. Here is a typical example:
<?php
$projectPath = __DIR__;
// Declare directories which contains php code
$scanDirectories = [
$projectPath . '/app/',
];
// Optionally declare standalone files
$scanFiles = [
];
return [
'composerJsonPath' => $projectPath . '/composer.json',
'vendorPath' => $projectPath . '/vendor/',
'scanDirectories' => $scanDirectories,
'scanFiles' => $scanFiles,
// whitelisted packages
'skipPackages' => ['laravel/tinker', 'guzzlehttp/guzzle'],
];
The, you can run the scanner:
vendor/bin/unused_scanner unused-scanner.php
If unused dependencies have been detected, you can either:
composer remove cylab/system
Finally, don't forget to add this test to your gitlab-ci.yml:
test:
image: cylab/php72
before_script:
- COMPOSER_CACHE_DIR=composer-cache composer install
script:
- vendor/bin/unused_scanner unused-scanner.php
This blog post is licensed under CC BY-SA 4.0