composer show dev packages and non dev packages

Question

Is there any way to know what packages will/will not be autoloaded when using the --no-dev flag?

I have inherited some code that uses composer and Im unsure what packages are included in the production build and what are only included in the dev build.

Since doing composer dump-autoload --no-dev gives me errors regarding missing classes I suspect that some packages are flagged as dev-only when they should not and I'm trying to track those down.

I havent found anything in the composer docs to help me doing this.

Answer 1

I just discovered that you can show all root packages using composer show -s:

name     : roots/bedrock
descrip. : WordPress boilerplate with modern development tools, easier configuration, and an improved folder structure
keywords : bedrock, roots, wordpress, stack, composer, vagrant, wp
versions : * dev-update-and-apply-aq-changes
type     : project
license  : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : https://roots.io/bedrock/
source   : []  412b5d6779300e49762ed2402d0f87ca50475f2f
dist     : []  412b5d6779300e49762ed2402d0f87ca50475f2f
path     : 
names    : roots/bedrock

support
issues : https://github.com/roots/bedrock/issues
forum : https://discourse.roots.io/category/bedrock

requires
php >=7.0
composer/installers ^1.11
oscarotero/env ^1.2.0
roots/wordpress 5.7.2
roots/wp-password-bcrypt 1.0.0
roots/wp-config 1.0.0
advanced-custom-fields/advanced-custom-fields-pro *
wpackagist-plugin/wordpress-seo ^16.1

requires (dev)
squizlabs/php_codesniffer ^3.0.2
dealerdirect/phpcodesniffer-composer-installer *
wp-coding-standards/wpcs *
wpackagist-plugin/query-monitor ^3.7
roave/security-advisories dev-master

And then you can cut out the requires (dev) section using composer show -s | sed -n '/requires (dev)$/,/^$/p'

requires (dev)
squizlabs/php_codesniffer ^3.0.2
dealerdirect/phpcodesniffer-composer-installer *
wp-coding-standards/wpcs *
wpackagist-plugin/query-monitor ^3.7
roave/security-advisories dev-master

And then you can get rid of the title using composer show -s | sed -n '/requires (dev)$/,/^$/p' | grep -v 'requires (dev)'

squizlabs/php_codesniffer ^3.0.2
dealerdirect/phpcodesniffer-composer-installer *
wp-coding-standards/wpcs *
wpackagist-plugin/query-monitor ^3.7
roave/security-advisories dev-master

And then you can get rid of the version using composer show -s | sed -n '/requires (dev)$/,/^$/p' | grep -v 'requires (dev)' | cut -d ' ' -f1

squizlabs/php_codesniffer
dealerdirect/phpcodesniffer-composer-installer
wp-coding-standards/wpcs
wpackagist-plugin/query-monitor
roave/security-advisories

Answer 2

The easiest way to check which packages are dev-only is to run composer install (this will install all dependencies, including dev-only) and then composer install --no-dev (this will remove dev-only dependencies). Last command will give you list of removed dependencies - these are packages not available in production builds, you should not rely on them (or move them to require section in your composer.json).

Example:

$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 56 installs, 0 updates, 0 removals
  - Installing yiisoft/yii2-composer (2.0.7): Loading from cache
  - Installing bower-asset/jquery (3.3.1): Loading from cache
  - Installing bower-asset/bootstrap (v3.4.1): Loading from cache
  - Installing bower-asset/inputmask (3.3.11): Loading from cache
  - Installing bower-asset/punycode (v1.3.2): Loading from cache
  - Installing bower-asset/yii2-pjax (2.0.7.1): Loading from cache
  - Installing cebe/markdown (1.2.1): Loading from cache
  - Installing ezyang/htmlpurifier (v4.10.0): Loading from cache
  - Installing yiisoft/yii2 (2.0.17): Loading from cache
  - Installing swiftmailer/swiftmailer (v5.4.12): Loading from cache
  - Installing yiisoft/yii2-swiftmailer (2.0.7): Loading from cache
  - Installing symfony/polyfill-ctype (v1.11.0): Loading from cache
  - Installing symfony/yaml (v2.8.49): Loading from cache
  - Installing symfony/finder (v2.8.49): Loading from cache
  - Installing symfony/event-dispatcher (v2.8.49): Loading from cache
  - Installing symfony/polyfill-mbstring (v1.11.0): Loading from cache
  - Installing symfony/dom-crawler (v2.8.49): Loading from cache
  - Installing symfony/css-selector (v2.8.49): Loading from cache
  - Installing psr/log (1.1.0): Loading from cache
  - Installing symfony/debug (v2.8.49): Loading from cache
  - Installing symfony/console (v2.8.49): Loading from cache
  - Installing symfony/browser-kit (v2.8.49): Loading from cache
  - Installing ralouphie/getallheaders (2.0.5): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing guzzlehttp/psr7 (1.5.2): Loading from cache
  - Installing sebastian/recursion-context (1.0.5): Loading from cache
  - Installing sebastian/exporter (1.2.2): Loading from cache
  - Installing phpunit/php-text-template (1.2.1): Loading from cache
  - Installing doctrine/instantiator (1.0.5): Loading from cache
  - Installing phpunit/phpunit-mock-objects (2.3.8): Loading from cache
  - Installing codeception/stub (1.0.4): Loading from cache
  - Installing sebastian/diff (1.4.3): Loading from cache
  - Installing sebastian/comparator (1.2.4): Loading from cache
  - Installing sebastian/version (1.0.6): Loading from cache
  - Installing sebastian/global-state (1.1.1): Loading from cache
  - Installing sebastian/environment (1.3.8): Loading from cache
  - Installing phpunit/php-timer (1.0.9): Loading from cache
  - Installing phpunit/php-file-iterator (1.4.5): Loading from cache
  - Installing phpunit/php-token-stream (1.4.12): Loading from cache
  - Installing phpunit/php-code-coverage (2.2.4): Loading from cache
  - Installing phpdocumentor/reflection-docblock (2.0.5): Loading from cache
  - Installing phpspec/prophecy (1.8.0): Loading from cache
  - Installing phpunit/phpunit (4.8.36): Loading from cache
  - Installing codeception/phpunit-wrapper (6.0.10): Loading from cache
  - Installing behat/gherkin (v4.6.0): Loading from cache
  - Installing codeception/base (2.4.1): Loading from cache
  - Installing myclabs/deep-copy (1.6.1): Loading from cache
  - Installing codeception/specify (0.4.6): Loading from cache
  - Installing codeception/verify (0.3.3): Loading from cache
  - Installing yiisoft/yii2-bootstrap (2.0.9): Loading from cache
  - Installing yiisoft/yii2-debug (2.0.14): Loading from cache
  - Installing fzaninotto/faker (v1.8.0): Loading from cache
  - Installing yiisoft/yii2-faker (2.0.4): Loading from cache
  - Installing phpspec/php-diff (v1.1.0): Loading from cache
  - Installing bower-asset/typeahead.js (v0.11.1): Loading from cache
  - Installing yiisoft/yii2-gii (2.0.8): Loading from cache
Generating autoload files

And then list of dev-only dependencies:

$ composer install --no-dev
Loading composer repositories with package information
Installing dependencies from lock file
Package operations: 0 installs, 0 updates, 44 removals
  - Removing yiisoft/yii2-gii (2.0.8)
  - Removing yiisoft/yii2-faker (2.0.4)
  - Removing yiisoft/yii2-debug (2.0.14)
  - Removing symfony/yaml (v2.8.49)
  - Removing symfony/polyfill-mbstring (v1.11.0)
  - Removing symfony/polyfill-ctype (v1.11.0)
  - Removing symfony/finder (v2.8.49)
  - Removing symfony/event-dispatcher (v2.8.49)
  - Removing symfony/dom-crawler (v2.8.49)
  - Removing symfony/debug (v2.8.49)
  - Removing symfony/css-selector (v2.8.49)
  - Removing symfony/console (v2.8.49)
  - Removing symfony/browser-kit (v2.8.49)
  - Removing sebastian/version (1.0.6)
  - Removing sebastian/recursion-context (1.0.5)
  - Removing sebastian/global-state (1.1.1)
  - Removing sebastian/exporter (1.2.2)
  - Removing sebastian/environment (1.3.8)
  - Removing sebastian/diff (1.4.3)
  - Removing sebastian/comparator (1.2.4)
  - Removing ralouphie/getallheaders (2.0.5)
  - Removing psr/log (1.1.0)
  - Removing psr/http-message (1.0.1)
  - Removing phpunit/phpunit-mock-objects (2.3.8)
  - Removing phpunit/phpunit (4.8.36)
  - Removing phpunit/php-token-stream (1.4.12)
  - Removing phpunit/php-timer (1.0.9)
  - Removing phpunit/php-text-template (1.2.1)
  - Removing phpunit/php-file-iterator (1.4.5)
  - Removing phpunit/php-code-coverage (2.2.4)
  - Removing phpspec/prophecy (1.8.0)
  - Removing phpspec/php-diff (v1.1.0)
  - Removing phpdocumentor/reflection-docblock (2.0.5)
  - Removing myclabs/deep-copy (1.6.1)
  - Removing guzzlehttp/psr7 (1.5.2)
  - Removing fzaninotto/faker (v1.8.0)
  - Removing doctrine/instantiator (1.0.5)
  - Removing codeception/verify (0.3.3)
  - Removing codeception/stub (1.0.4)
  - Removing codeception/specify (0.4.6)
  - Removing codeception/phpunit-wrapper (6.0.10)
  - Removing codeception/base (2.4.1)
  - Removing bower-asset/typeahead.js (v0.11.1)
  - Removing behat/gherkin (v4.6.0)
Generating autoload files

---

There is also a maglnet/composer-require-checker which may be useful for detecting usage of libraries not listed in require section.

Answer 3

Basically, any package (and its dependencies) in require-dev section of your composer.json file will not be autoloaded when you use composer dump-autoload --no-dev. Sadly, I don't think there's a command to show those packages together with their dependencies as a single list.

What you can do is try moving each of the packages from require-dev section to require, reruning composer update and composer dump-autoload --no-dev to see when your error disappears.