Skip to main content
Beta. Composer support is actively maintained but may have rough edges. Report issues at github.com/rootio-avr/rootio_patcher.
Root Library Catalog supports PHP projects managed with Composer. Patched packages are published to pkg.root.io/composer/ as a Composer repository and consumed via the Root Patcher CLI, which rewrites your composer.json and runs composer update to apply the patches.

Prerequisites

The Root Patcher CLI (rootio_patcher) is required to analyze your dependencies and apply patches. Install it before configuring your project.
For macOS Intel and Windows, see the full installation instructions. Then set your API key:
composer.lock must exist before running the patcher. If it is missing, run composer install first. The patcher reads exact resolved versions from the lock file to determine what is installed.

How Composer patching works

The patcher uses pre-install patching:
  1. Reads exact resolved versions from composer.lock
  2. Queries Root’s API for available patches
  3. Updates composer.json — direct dependencies have their version constraint updated in place; transitive dependencies are explicitly pinned in require
  4. Adds the Root Composer repository entry (pkg.root.io/composer/) permanently to composer.json
  5. Automatically runs composer update --with-dependencies <affected-packages> to download patched versions and update composer.lock
The vendor/ directory is fully populated after the patcher runs — no separate install step needed.
Platform requirements (php, ext-*) are not patched — they are managed by the OS, not Composer.

Authentication

The patcher passes credentials to Composer via the COMPOSER_AUTH environment variable. Set it before running the patcher with --dry-run=false:
Subsequent composer install runs also require COMPOSER_AUTH. Once the patcher adds the pkg.root.io repository to composer.json, every future composer install in CI/CD needs this variable set so Composer can authenticate to fetch patched packages.

Patching your project

1. Preview available patches

Example output:

2. Apply patches

The patcher updates composer.json and composer.lock and populates vendor/.

3. Commit the changes

Flags:

CI/CD Configuration

GitHub Actions

For subsequent composer install runs in other jobs or pipelines, set COMPOSER_AUTH as a repository secret and inject it into any step that runs Composer:

GitLab CI

Docker

Subsequent composer install steps (e.g. in a multi-stage build) require COMPOSER_AUTH to authenticate with pkg.root.io.

Troubleshooting