Source visibility

What the marketplace ships

Every package archive Packagento serves is built from the vendor's tagged Git release. File contents are not touched: Packagento does not strip, obfuscate, or encode source. The archive is produced by git archive at the tagged commit and then re-zipped with normalised metadata (timestamps, file modes, entry order) so the same tag rebuilt later is byte-identical. The vendor's .gitattributes export-ignore rules apply, so anything excluded there is not in the archive. If the vendor commits readable PHP, that is what you get on disk; if they commit a build artefact, that is what you get.

How to tell before you buy

The package detail page surfaces a few signals that together describe what you'll be installing:

• Source link: when the vendor's repo is public, the detail page links to it. You can read the full source on GitHub or GitLab before purchase. When the link is absent the repo is either private or the vendor has not provided one, you're relying on README, changelog, and support reputation.
• Composer type: magento2-module and magento2-theme ship the files the vendor tagged. metapackage packages contain no code of their own, they pull in other packages by Composer dependency.
• Licence: the package licence string from composer.json (MIT, proprietary, etc.) is shown on the detail page. The vendor sets it; the marketplace surfaces it as-is.

If you need to know whether a paid package contains compiled or encoded files before you license it, contact the vendor directly. The contact details are on the package detail page.

After purchase

Once licensed:

• You can read every file the dist archive contains. Composer extracts the archive into vendor/vendor/package the same as any package.
• You can patch locally using cweagans/composer-patches or your preferred patch workflow. Local patches do not affect other licensees.
• You can fork the package privately for your own use within the vendor's licence terms. Republishing a forked copy on Packagento or anywhere else is only permitted if the vendor's licence (visible on the package page) allows it.

Reporting bugs in vendor packages

Bug reports go to the vendor first; the contact details are on the package detail page. If the vendor is unresponsive after a reasonable window, get in touch through our contact form and the marketplace mediates. Security issues should be reported privately through the same contact form - please don't paste exploit details in a public issue tracker.

Related

• Composer setup - how dist archives are fetched and extracted.