Skip to main content

check_only_direct_dependencies

Configuration

name: check_only_direct_dependencies
type: int
default: 1
{
  "name": "company/project",
  "extra": {
    "violinist": {
      "check_only_direct_dependencies": 1
    }
  }
}

Indicate whether you want violinist to check only direct dependencies, or all dependencies.

Note! If you are looking for a way to get dependency updates of your direct dependencies, even if the direct dependency does not have a new version, then you probably want the option allow_update_indirect_with_direct. The difference being, with the option allow_update_indirect_with_direct you get one pull request per direct dependency. But with this option (check_only_direct_dependencies set to 0) you get one pull request per package you have installed in your project, regardless of the package being directly required or not.

Explanation

By default, violinist will only try to update packages you are directly dependent on. This means that if you are dependent on the package asm89/stack-cors, your project will be indirectly dependent on for example symfony/http-foundation. What that also means though, is that by default only pull requests to update the package asm89/stack-cors will be created. For many projects, this is what is desired. However, the frequency of releases to these packages can vary a lot. For example, between 2 versions of asm89/stack-cors there could theoretically be 10 versions of symfony/http-foundation. Some then find it surprising that even if they are merging all of the pull requests from violinist, running composer update still updates some packages for them. This is the reason.

Note! This option will update all dependencies in your lock file. This can potentially mean A LOT of pull requests. Therefore this option is best combined with either a block list or an allow list

Note! This option has no effect if you have set always_update_all to 1.

Note! This option has no effect if you have set allow_update_indirect_with_direct to 1.

Example

Maybe you have a project that depend on a "meta-package" for your company, that in turn will download all of the dependencies of your framework of choice. This can be very convenient for making sure projects are similar, company-wide. However, your meta-package might not get new updates very often, so the indirect dependencies of your project (that is the dependencies of your "meta-package") might become out of date. Or even cause you to miss a security update. Then let's configure our project to get all updates for all dependencies.

{
  "name": "company/project",
  "description": "My awesome project",
  "require": {
    "company/package-with-symfony-dependencies-declared": "~1.0.0",
  },
  "extra": {
    "violinist": {
      "check_only_direct_dependencies": 0
    }
  }
}

This way, there will be pull requests created for all of the packages, direct or indirect. And dependencies will therefore be kept up to date, regardless of the meta-package company/package-with-symfony-dependencies-declared getting a new version or not.

Note! Again, this will potentially create A LOT of pull requests. You probably want to combine this option with either a block list or an allow list. Or maybe with security_updates_only. Or maybe you might be looking for the option allow_update_indirect_with_direct

Edit this page
Last updated on by Eirik Stanghelle Morland