Vendors
Missing dependency detection
When one of your tagged versions requires another package that doesn't exist on Packagento yet, we flag it for you and, where we can, add it automatically.
What an unresolved require is
Every time you push a semver tag, Packagento reads the tag's composer.json and records every entry in its require block. An unresolved require is one of those entries that names a package no Packagento package has been added for yet. The dependency is real - your code asks for it - but the marketplace has no metadata or archive to serve, so a buyer running composer install against your parent package will fail on that line.
Platform requires (php, ext-*, the Composer plugin API) are not unresolved requires. Composer resolves those against the buyer's host. Only vendor/name-style Composer packages can be unresolved.
Where it surfaces
Two places, both inside your account:
- Your vendor dashboard: a "Missing dependencies" card lists each missing required package, the parent package and version that asks for it, and an Add shortcut. The card only appears while at least one of your tags has an unresolved require; it disappears the moment the list empties.
- The package detail page: on the parent package's view in your account, a "Missing dependencies in your tags" panel lists the unresolved requires for that specific package, together with the version they first appeared in and when we first saw them.
The first-occurrence email
The first time a new unresolved require is detected for your vendor, we send you an email with the missing package name and the parent that requires it. The email is a one-time nudge: once a row has been notified, subsequent ingests of the same require do not re-email. You'll only get a fresh email if the require disappears from your tags and later reappears.
If a single ingest produces a large burst of new unresolved requires for your vendor (typically a bulk-upload misconfiguration), the batch is held back for review instead of going out as one oversized email. The dashboard card still shows every row.
Auto-add for same-vendor candidates
When the missing required package is inside your own vendor namespace, Packagento can register it for you. The conditions are deliberately strict:
- The required package's vendor segment matches a vendor namespace you own. Cross-vendor requires are never auto-added.
- Across all the Git integrations you've connected, exactly one repository has a
composer.jsonwhosenamefield matches the missing required name. Zero matches means we wait for you; two or more means we wait for you to disambiguate. - That composer name does not already exist on Packagento under a different vendor. Cross-vendor collisions are routed through the claim review flow instead.
- The integration that owns the matching repo has finished its current sync. Mid-sync candidates are held until the listing is fresh.
When all of those hold, Packagento registers the repository as a hidden dependency: not listed in browse, not purchasable on its own, free to anyone who licenses a parent package that requires it. The newly added package then ingests normally - the same flow as if you had added it through the wizard - and the unresolved entry clears.
Auto-add is on by default. The marketplace operator can switch it off, in which case the dashboard card and the first-occurrence email are how you find out, and you add the missing package yourself.
How to resolve manually
You have three options. Pick whichever fits the situation:
- Add the missing package. Open the add-package wizard, point it at the repository that holds the required code, and add it. If it's only used as a dependency of one of your other packages, set its visibility to "Hidden dependency" so it stays out of public browse.
- Drop the require. If the require in your parent's
composer.jsonis wrong - a leftover from an internal project, a misnamed package - remove it and tag a new version. The next ingest sees the require is gone and clears the unresolved entry. - Let auto-add handle it. For requires inside your own vendor namespace where exactly one connected repo matches, you don't have to do anything. Packagento checks periodically and registers the inclusion when the conditions are met.
What gets resolved when the missing package becomes available
The moment the missing package is added - whether by you, by auto-add, or by an admin - Packagento back-fills every previously-unresolved reference to it. You don't need to re-tag the parent. Existing tags that pointed at the missing name pick up the new package immediately, the dashboard card drops the row, the per-package panel drops it too, and buyers' next composer install of an affected parent version succeeds.
See also
- Metapackages and hidden dependencies - how hidden dependencies ride on a parent package's licence.
- Package publishing - the broader add-package and tagged-release flow.