How to find out, what URLs Composer will need to access for loading packages?

Question

I'm working behind a corporate proxy, that only permit connections to a defined list of URLs. So I need to communicate to the admin, what URLs I need for my application. Well, in either case access to https://getcomposer.org and https://packagist.org is needed. And most likely also to https://github.com. But the packages (dependencies and their dependencies, and the dependencies of their dependencies etc.) might need further connections.

How to find out, what connections will be needed for a given application (or better: for a given composer.json)?

Answer 1

With the latest version of composer

$ composer --version

Composer version 1.5.1 2017-08-09 16:07:22

and assuming you have run

$ composer clear-cache

to clear the local cache (otherwise composer will install from the local cache and not download from anywhere) and you have run

$ rm -rf vendor

to clear the vendor directory (as otherwise there's no need to install anything), and also assuming dependencies are installed from dist, run

$ composer install -vvv 2>&1 | grep -oP '(?<=Downloading )http(s)?.*'

Depending on whether composer.lock exists, this will produce different results, though:

composer.lock exists

composer has the information about where to fetch what dependency from, so it will only download from the GitHub API in this case.

https://api.github.com/repos/symfony/filesystem/zipball/b32a0e5f928d0fa3d1dd03c78d020777e50c10cb
https://api.github.com/repos/symfony/event-dispatcher/zipball/54ca9520a00386f83bca145819ad3b619aaa2485
https://api.github.com/repos/php-fig/log/zipball/4ebe3a8bf773a19edfe0a84b6585ba3d401b724d
https://api.github.com/repos/symfony/debug/zipball/084d804fe35808eb2ef596ec83d85d9768aa6c9d
...

composer.lock does not exist

composer will download meta data from packagist.org first:

https://packagist.org/packages.json
http://packagist.org/p/provider-2013%2456386a41dbd41eab668ffb05897f08b3d6976a85f637cecc2b4355a8c747f315.json
http://packagist.org/p/provider-2014%2483b2e5e0311688cd390926bf3970c838fe101b3fdd40a9c8c1717a367b3c87a5.json
http://packagist.org/p/provider-2015%24318fb1f4ae87f2f15840c4dd9113d965a3c6da36a45ba1278caacdf0e4471ea7.json
...

followed by downloading data from the GitHub API

https://api.github.com/repos/symfony/filesystem/zipball/b32a0e5f928d0fa3d1dd03c78d020777e50c10cb
https://api.github.com/repos/symfony/event-dispatcher/zipball/54ca9520a00386f83bca145819ad3b619aaa2485
https://api.github.com/repos/php-fig/log/zipball/4ebe3a8bf773a19edfe0a84b6585ba3d401b724d
https://api.github.com/repos/symfony/debug/zipball/084d804fe35808eb2ef596ec83d85d9768aa6c9d
...

Note

Redirecting the output from STDERR to STDOUT as composer outputs the relevant information in verbose mode to STDERR with

$ composer install -vvv 2>&1 | grep -oP '(?<=Downloading )http(s)?.*'

and then piping that output into grep, using a positive lookbehind to match everything that matches http(s)?.* preceded by Downloading.