Stats
Actions
Tags
From php
ACTIVATE when modifying composer.json, adding/updating dependencies, or running composer commands. ACTIVATE for 'composer require', 'composer update', version constraints. Covers: caret versioning policy, forbidden patterns (*, dev-master, exact versions), internal package exception (dev-main as x.y.z), update strategy. DO NOT use for: autoloading, PHP code, Symfony configuration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/php:php-composer-conventionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Always use caret (`^`) with minor version**:
Always use caret (^) with minor version:
"vendor/package": "^1.2"
This allows patch updates (1.2.x) and minor updates (1.x) but blocks major updates (2.x).
| Pattern | Reason |
|---|---|
"*" | No version control, can break on any update |
"dev-master" | Unstable, no reproducibility (external packages) |
"1.2.3" | Too strict, blocks security patches |
">=1.0" | Too permissive, allows breaking changes |
"dev-main as x.y.z" is allowed only for internal packages (acme/*) during active development:
"acme/ui-bundle": "dev-main as 0.1.0"
Always try without --with-all-dependencies first:
composer update vendor/package
Only use if the standard update fails due to dependency conflicts:
composer update vendor/package --with-all-dependencies
^ with the minor version# Check available versions
composer show vendor/package --all
# Add with correct constraint
composer require vendor/package:^1.2
When encountering "*" in composer.json:
composer show vendor/packagecomposer show vendor/package --all"*" with "^X.Y" (latest minor)composer update vendor/package| Situation | Action |
|---|---|
| New dependency | composer require vendor/package:^X.Y |
| Update single package | composer update vendor/package |
Fix "*" constraint | Replace with "^X.Y", then update |
| Dependency conflict | Only then use --with-all-dependencies |
npx claudepluginhub fabiensalles/claude-marketplace --plugin phpSafe, systematic Composer dependency updates with patch/minor/major strategies, security audits, lock file hygiene, and changelog-first workflow.
Analyzes PHP Composer dependencies for security vulnerabilities: detects CVEs, outdated packages, EOL versions, abandoned packages, risky constraints, and transitive risks.
PHP Upgrade Assistant. Use when upgrading PHP version, fixing deprecations for a target PHP version, or scanning for PHP compatibility issues.