定制 k2gl/composer-license-gate 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

k2gl/composer-license-gate

Composer 安装命令:

composer require k2gl/composer-license-gate

包简介

Composer plugin that checks your dependencies' licenses against an allow/deny policy and can fail the install on a violation.

README 文档

README

A Composer plugin that checks your dependencies' licenses against an allow/deny policy as they're installed — and, in enforce mode, fails the install on a violation. It runs inside Composer's install/update lifecycle, so a disallowed license (say, GPL creeping into a proprietary product through a transitive dependency) is caught automatically in local installs and in CI, without a separate command to remember.

Unlike report-only license checkers you invoke by hand, this is a gate: the policy lives in composer.json and is enforced on every composer install and composer update.

Install

composer require --dev k2gl/composer-license-gate

Configure

All configuration lives under extra.k2gl-license-gate in your root composer.json:

{
  "extra": {
    "k2gl-license-gate": {
      "mode": "enforce",
      "allow": ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC"],
      "deny": ["GPL-*", "AGPL-*"],
      "allow-packages": ["acme/legacy-thing"],
      "require-license": false
    }
  }
}
  • mode
    • warn (default) — report violations but don't stop.
    • enforce — fail the install when a package violates the policy.
    • off — do nothing.
  • allow — an allow-list. If set, a package is accepted only when every declared license matches one of these patterns. Takes precedence over deny.
  • deny — a deny-list. A package is rejected if any declared license matches one of these.
  • allow-packages — package names (vendor/name) exempt from the check, for the odd dependency you've reviewed and accepted.
  • require-license — treat a package that declares no license as a violation.

Patterns are SPDX identifiers, matched case-insensitively, with a trailing * as a prefix wildcard — GPL-* matches GPL-2.0-only, GPL-3.0-or-later, and so on.

Use either allow (a strict whitelist — safest) or deny (block known-bad licenses, permit the rest). If both are set, allow wins.

What you'll see

Under enforce, a violation aborts the install:

  ! license policy: acme/widget — license "GPL-3.0-or-later" is denied by policy

Under warn, the same line is printed but the install continues.

Notes

  • A dual-licensed package (e.g. MIT OR GPL-3.0) is read conservatively: if any of its licenses is disallowed, it's flagged. Accept it deliberately with allow-packages once you've confirmed you're using it under the allowed option.
  • Checks run per package as Composer installs or updates it, so only the packages actually being changed are checked — a full audit happens naturally on a clean composer install.

Requirements

  • PHP 8.1+
  • Composer 2 (composer-plugin-api ^2.0)

License

MIT

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-07-04

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固