renovate/docs/usage/php.md

---
title: PHP Composer Support
description: PHP Composer support in Renovate
---

# Automated Dependency Updates for PHP Composer Dependencies

Renovate can upgrade dependencies in PHP's `composer.json` and `composer.lock` files.

## How It Works

1. Renovate searches in each repository for any `composer.json` files
1. Existing dependencies are extracted from the relevant sections of the JSON
1. Renovate resolves the dependency on Packagist (or elsewhere if configured), and filter for SemVer versions
1. A PR is created with `composer.json` and `composer.lock` updated in the same commit
1. If the source repository has either a "changelog" file or uses GitHub releases, then Release Notes for each version will be embedded in the generated PR

## Enabling

Either install the [Renovate App](https://github.com/apps/renovate) on GitHub, or check out [Renovate OSS](https://github.com/renovatebot/renovate) for self-hosted.

## Private packages

If you are using a [privately hosted Composer package](https://getcomposer.org/doc/articles/authentication-for-private-packages.md) you can pass the credentials via the [`hostRules`](https://docs.renovatebot.com/configuration-options/#hostrules) configuration.

```json
{
  "hostRules": [
    {
      "matchHost": "some.vendor.com",
      "hostType": "packagist",
      "username": "<your-username>",
      "password": "<your-password>"
    },
    {
      "matchHost": "bearer-auth.for.vendor.com",
      "hostType": "packagist",
      "token": "abcdef0123456789"
    }
  ]
}
```

This host rule is best added to the bot's `config.js` config so that it is not visible to users of the repository.
If you are using the hosted Mend Renovate App then you can encrypt it with Renovate's public key instead, so that only Renovate can decrypt it.

Go to [https://app.renovatebot.com/encrypt](https://app.renovatebot.com/encrypt), paste in the secret string you wish to encrypt, click _Encrypt_, then copy the encrypted result.
You may encrypt your `password` only, but you can encrypt your `username` as well.

```json
{
  "hostRules": [
    {
      "matchHost": "some.vendor.com",
      "hostType": "packagist",
      "encrypted": {
        "username": "<your-encrypted-username>",
        "password": "<your-encrypted-password>"
      }
    },
    {
      "matchHost": "bearer-auth.for.vendor.com",
      "hostType": "packagist",
      "encrypted": {
        "token": "<your-encrypted-token>"
      }
    }
  ]
}
```
docs: update language descriptions 2019-01-13 12:01:00 +00:00			`---`
			`title: PHP Composer Support`
			`description: PHP Composer support in Renovate`
			`---`

			`# Automated Dependency Updates for PHP Composer Dependencies`

docs: improve PHP documentation (#7824) 2020-11-26 12:15:41 +00:00			Renovate can upgrade dependencies in PHP's `composer.json` and `composer.lock` files.
docs: update language descriptions 2019-01-13 12:01:00 +00:00
			`## How It Works`

docs: improve PHP documentation (#7824) 2020-11-26 12:15:41 +00:00			1. Renovate searches in each repository for any `composer.json` files
			`1. Existing dependencies are extracted from the relevant sections of the JSON`
			`1. Renovate resolves the dependency on Packagist (or elsewhere if configured), and filter for SemVer versions`
			1. A PR is created with `composer.json` and `composer.lock` updated in the same commit
			`1. If the source repository has either a "changelog" file or uses GitHub releases, then Release Notes for each version will be embedded in the generated PR`
docs: update language descriptions 2019-01-13 12:01:00 +00:00
			`## Enabling`

docs: update docs and app references 2019-08-27 11:11:25 +00:00			`Either install the [Renovate App](https://github.com/apps/renovate) on GitHub, or check out [Renovate OSS](https://github.com/renovatebot/renovate) for self-hosted.`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00
			`## Private packages`

			If you are using a [privately hosted Composer package](https://getcomposer.org/doc/articles/authentication-for-private-packages.md) you can pass the credentials via the [`hostRules`](https://docs.renovatebot.com/configuration-options/#hostrules) configuration.

			```json
			`{`
			`"hostRules": [`
			`{`
feat(host-rules): use only matchHost (#9892) Co-authored-by: Michael Kriese <michael.kriese@visualon.de> 2021-05-13 20:53:18 +00:00			`"matchHost": "some.vendor.com",`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00			`"hostType": "packagist",`
			`"username": "<your-username>",`
			`"password": "<your-password>"`
feat(composer): bearer token authentication (#6901) (#11856) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2021-09-23 11:49:58 +00:00			`},`
			`{`
			`"matchHost": "bearer-auth.for.vendor.com",`
			`"hostType": "packagist",`
			`"token": "abcdef0123456789"`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00			`}`
			`]`
			`}`
			```

docs: use one sentence per line (#7625) 2020-11-02 08:52:37 +00:00			This host rule is best added to the bot's `config.js` config so that it is not visible to users of the repository.
fix: whitesource -> mend (#15729) 2022-05-25 13:23:28 +00:00			`If you are using the hosted Mend Renovate App then you can encrypt it with Renovate's public key instead, so that only Renovate can decrypt it.`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00
docs: update links (#12006) 2021-10-04 15:57:18 +00:00			`Go to [https://app.renovatebot.com/encrypt](https://app.renovatebot.com/encrypt), paste in the secret string you wish to encrypt, click _Encrypt_, then copy the encrypted result.`
docs: improve PHP documentation (#7824) 2020-11-26 12:15:41 +00:00			You may encrypt your `password` only, but you can encrypt your `username` as well.
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00
			```json
			`{`
			`"hostRules": [`
			`{`
feat(host-rules): use only matchHost (#9892) Co-authored-by: Michael Kriese <michael.kriese@visualon.de> 2021-05-13 20:53:18 +00:00			`"matchHost": "some.vendor.com",`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00			`"hostType": "packagist",`
			`"encrypted": {`
Update php.md (#15103) 2022-04-13 21:01:34 +00:00			`"username": "<your-encrypted-username>",`
feat(composer): bearer token authentication (#6901) (#11856) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2021-09-23 11:49:58 +00:00			`"password": "<your-encrypted-password>"`
			`}`
			`},`
			`{`
			`"matchHost": "bearer-auth.for.vendor.com",`
			`"hostType": "packagist",`
			`"encrypted": {`
			`"token": "<your-encrypted-token>"`
docs: go into Composer authentication more clearly (#7571) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2020-10-27 14:00:37 +00:00			`}`
			`}`
			`]`
			`}`
			```