Do I need this package when I use static analyzer?

maglnet / ComposerRequireChecker

A CLI tool to check whether a specific composer package uses imported symbols that aren't part of its direct composer dependencies

MIT License

872 stars 70 forks source link

Do I need this package when I use static analyzer? #543

Closed javaDeveloperKid closed 2 weeks ago

javaDeveloperKid commented 2 weeks ago

This package checks for symbols and functions from soft dependencies But if a soft dependency is removed then static analyzer like PHPStan (even at lowest level 0 https://phpstan.org/user-guide/rule-levels) will catch this. Then this package is superfluous, right?

Ocramius commented 2 weeks ago

But if a soft dependency is removed then static analyzer like PHPStan (even at lowest level 0 phpstan.org/user-guide/rule-levels) will catch this.

This depends on whether you are running your static analyzer on composer install --no-dev or not :-)

If you run PHPStan / Psalm with --no-dev sources, you should be fine without this package :+1:

BTW, I still suggest you also run static analysis over your test suite too (separate pipeline with everything included, perhaps).