Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

Tidy Up composer.json with Composer Normalize

By Greg Nowak. Last updated 2026-07-06.

A tidy composer.json will not rescue a bad dependency strategy, but it does remove a surprising amount of friction. When package metadata is inconsistent, every dependency change becomes harder to review, hand over, and automate. For business owners, operations leads, and agency teams, that shows up as slower maintenance and avoidable uncertainty.

The practical 2026 default is simple: use Composer's own validation tools, enable package sorting for future changes, and add ergebnis/composer-normalize for full-file normalization. The result is not cosmetic perfection. It is a quieter workflow where dependency changes are easier to understand and CI can catch drift before it reaches a release branch.

Why this matters beyond formatting

A clean composer.json gives reviewers a better signal. If a pull request adds one package, removes another, or changes a platform constraint, the diff should show that decision clearly. It should not be buried in reordered keys, spacing changes, or a manually edited block that looks different from the rest of the file.

That matters most when several people touch the same PHP estate: an in-house developer, a freelance specialist, a support agency, and a project manager all looking at the same repository. Normalization gives them a shared baseline.

  • Package lists stay predictable.
  • Metadata changes become easier to review.
  • Lock-file drift is caught earlier.
  • Style arguments move out of code review.

Where each Composer tool fits

Composer already includes useful checks, but each tool has a different job. The mistake is expecting one setting to do everything.

Need Use What it gives the team
Validate the file and lock relationship composer validate --strict Schema checks, lock-file checks, and a non-zero exit code for warnings.
Keep new requirements alphabetized sort-packages Cleaner future changes when developers run composer require.
Normalize the full file composer normalize Consistent key order, formatting, and package metadata structure.
Enforce the rule in CI composer normalize --dry-run A failing build when the file or lock hash needs attention.
A small decision matrix for keeping PHP dependency metadata clean without adding process for its own sake.

A sensible project setup

For most application and agency projects, install Composer Normalize as a development dependency and commit the resulting configuration. Composer plugins execute code, so Composer's allow-plugins setting should be explicit rather than left to local prompts.

composer require --dev ergebnis/composer-normalize
composer config allow-plugins.ergebnis/composer-normalize true
composer normalize
composer validate --strict

The first command installs the normalizer. The second records that this specific plugin is trusted. Then composer normalize rewrites the file into the expected structure, and composer validate --strict checks that the cleaned file is still valid and that the lock file is up to date when one exists.

Also enable Composer's built-in package sorting so day-to-day package additions do not slowly make the file noisy again:

{
  "config": {
    "sort-packages": true
  }
}

This setting is useful, but it is not a replacement for normalization. Composer documents it as a way for the require command to keep packages sorted when new packages are added. It does not normalize the whole document.

Put the check in CI

The real value comes when this becomes a repeatable rule. After the first cleanup commit, add these checks to the project pipeline:

composer normalize --dry-run
composer validate --strict

--dry-run is the important flag. In CI, the normalizer should report the problem, show the diff, and fail the build rather than rewriting files behind the team's back. Developers can then run composer normalize locally and commit the result.

Be deliberate with lock-file behavior. Composer Normalize checks whether composer.lock is current and can update the lock hash when necessary. If your release process treats lock-file changes as sensitive, read the available flags before automating broadly. --no-update-lock can prevent the tool from updating the lock file, and --no-check-lock should be reserved for cases where you have a separate lock-file check.

What normalization will not fix

Normalization is hygiene, not dependency governance. Use the cleanup as a chance to inspect the file while it is easier to read.

  • Move tools used only for development into require-dev.
  • Remove stale packages left behind after old features or integrations.
  • Check whether autoload settings should use PSR-4 for new code.
  • Review PHP and extension requirements against production, not only local machines.
  • Remove a manually maintained version field when the repository can infer versions from VCS tags.
  • Question old scripts, custom repositories, and platform overrides that nobody owns anymore.

This is where an experienced reviewer matters. The tool can make the file consistent; it cannot decide whether the constraints, scripts, and package choices still match the business.

A good rollout pattern

For an existing codebase, do the normalization in a dedicated pull request with no functional dependency changes. That makes the large formatting diff easy to approve once. After that, every future dependency pull request should be smaller and clearer.

For agencies managing several PHP projects, standardize the rule in your project template, CI checklist, and handover notes. Small rules like this reduce review fatigue and make inherited projects less personal to the last developer who touched them.

If dependency hygiene, CI rules, and handover quality keep slipping between teams, Greg can help make them part of a repeatable delivery workflow.

Related on GrN.dk

  • Web Browser Automation for Operations and Agency Teams: A Practical Guide
  • AI automations need a spend dashboard before the first runaway bill
  • Cloudflare Tunnel observability is better in 2026, making undocumented tunnel sprawl harder to ignore

Need help with this kind of work?

Make PHP delivery more repeatable Get in touch with Greg.

Sources

  • Command-line interface / Commands - Composer
  • Config - Composer
  • The composer.json schema - Composer
  • ergebnis/composer-normalize
  • ergebnis/composer-normalize - Packagist
Last modified
2026-07-06

Tags

  • Web
  • programming
  • php
  • Composer

Review Greg on Google

Greg Nowak Google Reviews

 

Illustrated infographic summarizing: If the Facts Need JavaScript, AI Search May Miss the Full Page
If the Facts Need JavaScript, AI Search May Miss the Full Page
2026-07-14

A practical guide to finding and fixing JavaScript rendering gaps that can hide services, prices, contact details and metadata from AI search crawlers.

Illustrated infographic summarizing: Search Console Can See Social Posts—Your Reports Need a New Map
Search Console Can See Social Posts—Your Reports Need a New Map
2026-07-13

Search Console now reports how social posts perform across Google. Here’s a practical way to manage properties, permissions, baselines and exports.

Illustrated infographic summarizing: WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
WordPress 7.0 Has an AI Client. Plugins Need Their Own Guardrails
2026-07-12

WordPress 7.0 standardizes how plugins call AI providers, while leaving developers responsible for access control, cost limits, capability checks and graceful failures.

Illustrated infographic summarizing: Google’s AI Search toggle needs a test plan, not a gut decision
Google’s AI Search toggle needs a test plan, not a gut decision
2026-07-11

Google’s AI Search control creates a measurable publishing choice. Test visibility, traffic and leads before changing the setting across your site.

Illustrated infographic summarizing: OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
OpenAI Is Retiring Agent Builder: Save the Workflow, Not Just Prompts
2026-07-10

OpenAI retires Agent Builder on November 30, 2026. Here is what teams need to preserve, how to choose a migration path, and how to cut over safely.

Illustrated infographic summarizing: AI agents need a browser policy before they start clicking around
AI agents need a browser policy before they start clicking around
2026-07-09

Browser-using AI agents can save time, but they need clear rules before they enter CRMs, CMSs, portals, or admin tools and start taking action.

Illustrated infographic summarizing: When AI writes JSON, one bad field can break the workflow
When AI writes JSON, one bad field can break the workflow
2026-07-08

Structured AI output is useful in real workflows, but teams need schemas, validation, retries, and logs before JSON reaches production systems.

Illustrated infographic summarizing: AI search is eating the click: measure the queries before rewriting pages
AI search is eating the click: measure the queries before rewriting pages
2026-07-07

AI summaries are cutting into search clicks. Start with a practical dashboard that shows query risk, bot purpose, page value, and crawler policy.

Illustrated infographic summarizing: AI shopping visibility now depends on boring product-data plumbing
AI shopping visibility now depends on boring product-data plumbing
2026-07-07

AI-assisted shopping puts more pressure on ecommerce catalog data, feeds, schema, prices, availability, and return-policy governance.

Illustrated infographic summarizing: Drupal AI Demos Need a Permissions Rehearsal Before Launch
Drupal AI Demos Need a Permissions Rehearsal Before Launch
2026-07-07

Drupal’s July 2026 AI advisories show why agencies should test permissions, uploads, approval loops, logs, and rollback before client demos go live.

More articles
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.