# yireo/magento2-extensionchecker

> Scan the code of a Magento module

`composer require yireo/magento2-extensionchecker`

Canonical URL: https://packagento.com/yireo/magento2-extensionchecker

## At a glance

- **Vendor**: yireo (https://packagento.com/yireo.md)
- **Latest version**: 2.5.13 — released 2026-05-19
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/yireo/magento2-extensionchecker and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require yireo/magento2-extensionchecker:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

Scan the code of a Magento module

## README

This extension validates the code of other extensions and is complementary to static code analysis tools like PHPCS.

### Example usage

    bin/magento yireo_extensionchecker:scan --module Yireo_ExampleAdminhtml

Running this command might give the following output:

    Dependency "Magento_Backend" not found module.xml
    Dependency "Magento_Ui" not found module.xml
    Dependency "magento/module-backend" not found composer.json. Current version is 101.0.2
    Dependency "magento/module-ui" not found composer.json. Current version is 101.1.2
    Dependency "psr/log" not found composer.json. Current version is 1.1.0

The output gives a hint to what to add to `composer.json`. For instance, a composer requirement `magento/module-ui` should be added and this could have a version constraint `^101.1` to match semantic versioning. Theoretically, this could also be `^101.0` or even `^100.0|^101.0`, but for this, deep-code analysis (by you) would be needed.

Note that you can also pass multiple modules to the `--module` flag by separating them with a comma:
```bash
bin/magento yireo_extensionchecker:scan --module Yireo_Example1,Yireo_Example2,Yireo_Example3
```

Listing dependencies (as in: dependencies detected by this ExtensionChecker) could be done with the following command: 
```bash
bin/magento yireo_extensionchecker:list-dependencies --module Yireo_Example
bin/magento yireo_extensionchecker:list-dependencies --module Yireo_Example --format=json | jq
```


### Installation
Install the module as a composer requirement for developer environments:

    composer require --dev yireo/magento2-extensionchecker
    bin/magento module:enable Yireo_ExtensionChecker
    
Note that if you want to scan a module, this module also needs to be enabled. Personally, we use this extension in our CI/CD chain, to make sure zero issues are reported at all times.

### Deprecated dependencies
Class dependencies (injected via the constructor) are inspected to see if they are deprecated, for the used Magento version. You can skip this behaviour by adding a flag `--hide-deprecated` to the command:

    bin/magento yireo_extensionchecker:scan --module Yireo_Example --hide-deprecated=1

### Undeclared dependencies
Class dependencies (injected via the constructor) are traced back to their corresponding module (or the framework or something else), which should be reflected upon in the `composer.json` file and the `module.xml` file. Of each composer dependencies, the current version is also reported.

Also, by tokenizing the PHP source, it is detected whether the `composer.json` file should reflect a specific PHP extension (for example, `ext-json`) when an extension-specific PHP function is used (for example, `json_encode`).

### @todo: Hard-coded Proxies
A Proxy is a DI trick which should be configured in the `di.xml` file of a module and not be hard-coded in PHP. The extension could report this.

### @todo: Check other methods for signature
If another method than the constructor contains type hints for imported namespaces, those namespaces lead to further dependencies with the module. For example, if a specific method returns an object of type `Magento/ModuleX/SomeInterface` then `Magento_ModuleX` would need to be reported as a dependency.

### @todo: Scan for `@since`
Scan class dependencies for `@since` and double-check if this minimum version matches with the composer requirements.

### File `.yireo-extension-checker.json`
Sometimes a scan shows that dependencies are not needed, even though you disagree. To override this, you can add a file
`.yireo-extension-checker.json` to your module folder with a content like the following:

```json
{
  "ignore": [
    "Yireo_Example",
    "yireo/magento2-example"
  ]
}
```


### Tip: Check multiple modules 
You can quickly check upon multiple modules with a command like this:

```bash
bin/magento yireo_extensionchecker:scan --module $(bin/magento module:status --enabled | grep -e Yireo_ | awk '{printf "%s%s",sep,$0; sep=","} END{print""}') --hide-needless 1 --hide-deprecated 1
```

### Generate module.xml
Based on the found dependencies, a sample `module.xml` output can be generated. Note that you will need to copy and paste the output yourself:

```bash
bin/magento yireo_extensionchecker:suggest:module-xml Yireo_Example
```

Likewise, the `require` section of the `composer.json` file can be generated too:

```bash
bin/magento yireo_extensionchecker:suggest:composer-json Yireo_Example
```

## Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

### [Unreleased]

### [2.5.13] - 19 May 2026
#### Fixed
- When suggesting composer.json, do not override original semver

### [2.5.12] - 20 October 2025
#### Fixed
- Normalize class names in getComponentByClass method, fixes #66

### [2.5.11] - 16 October 2025
#### Fixed
- Additional debugging with -vvv
- Remember components already created

### [2.5.10] - 09 October 2025
#### Fixed
- Copy generic CI/CD files
- Make sure ignore list is only loaded once
- Implement ignore-list in missing dependencies
- Upgrade actions/checkout@v4
- Upgrade GitHub Action to PHP 8.3 and Magento 2.4.7
- Add exception if (dependent) module really can't be found
- Steps to depend less on module to be enabled

### [2.5.9] - 05 June 2025
#### Fixed
- Add option to skip license validation in composer.json #62 @iranimij
- Remove `Composer\Console\Input\InputArgument` #61 @frqnck
- Add $moduleName to output messages where not currently implemented #60 @gwharton

### [2.5.8] - 02 June 2025
#### Fixed
- Suggest composer output CLI based on current composer.json

### [2.5.7] - 28 May 2025
#### Fixed
- Fix wildcard output for `ext-` in new CLI

### [2.5.6] - 28 May 2025
#### Fixed
- New CLI for suggesting composer.json and module.xml

### [2.5.5] - 22 May 2025
#### Fixed
- Add `.yireo-extension-checker.json` file

### [2.5.4] - 22 May 2025
#### Fixed
- Search PHTML templates for classes

### [2.5.3] - 17 May 2025
#### Fixed
- Add composer/composer to deps because of usage Composer API
- Properly find classes behind factory classes
- Update MODULE.json
- Detect PHP classes in etc/ XML files
- Remove default param
- Do not skip abstract classes and interfaces when finding deps
- Do not skip test classes
- Add PHP 8.4
- Detect invalid composer license
- If no composer name, show module name

### [2.5.2] - 27 April 2025
#### Fixed
- Prevent error if not semver version
- Fix PHP 8.4 deprecations
- Drop PHP 7.4
- Allow for whitelisting specific modules like `Magento_Store`

## [2.5.1] = 21 January 2025
#### Fixed
- Not every occurance of find() is a CLI command (#58 @gwharton)

## [2.5.0] = 6 January 2025
#### Fixed
- Prevent deps from deps to be reported #26

#### Added
- New command `inspect-class`

## [2.4.4] = 29 August 2024
#### Fixed
- Prevent exception when require and/or require-dev is empty

## [2.4.3] = 23 August 2024
#### Fixed
- Fixes for dev requirements

## [2.4.2] = 12 August 2024
#### Fixed
- Changed call in Nikic parser


## [2.4.1] = 24 June 2024
#### Fixed
- Added JSON format to module list output

## [2.4.0] = 21 June 2024
#### Added
- New CLI `yireo_extensionchecker:list:modules` (module name, enabled/disabled, composer version)

## [2.3.4] = 8 May 2024
#### Fixed
- Do not pick up on nodes that are functions #54 @sprankhub

## [2.3.3] = 10 April 2024
#### Fixed
- Remove exception for module with no sequence #52 @iranimij

## [2.3.2] = 26 March 2024
#### Fixed
- Fix name issues #50 @iranimij

## [2.3.1] = 3 February 2024
#### Fixed
- Additional fixes in performance

## [2.3.0] = 12 December 2023
#### Added
- Check multiple modules at once by passing comma-seperated module-names to scan command #46 @iranimij


## [2.2.10] = 3 November 2023
#### Fixed
- Detect more dependencies

## [2.2.9] = 15 October 2023
#### Fixed
- Cleanup old code with dynamic properties

## [2.2.8] = 28 February 2023
#### Fixed
- Add compatibility with older `composer` commands that lack `no-scripts` flag

## [2.2.7] = 21 February 2023
#### Fixed
- Argument type compilation error

## [2.2.6] = 27 December 2022
#### Added
- Add difference between hard and soft dependencies
- Add XML-file collector for `etc/` folder

#### Fixed
- Make sure no table is outputted when messages count 0

_(Changelog truncated for .md surface. Full history on https://packagento.com/yireo/magento2-extensionchecker.)_

## Recent Versions

| Version | Released |
|---|---|
| 2.5.13 | 2026-05-19 |
| 2.5.12 | 2025-10-20 |
| 2.5.11 | 2025-10-16 |
| 2.5.10 | 2025-10-09 |
| 2.5.9 | 2025-06-05 |
| 2.5.8 | 2025-06-02 |
| 2.5.7 | 2025-05-28 |
| 2.5.6 | 2025-05-28 |
| 2.5.5 | 2025-05-22 |
| 2.5.4 | 2025-05-22 |

Showing 10 of 69 versions. Full release history on https://packagento.com/yireo/magento2-extensionchecker.

## Dependencies

### Require

| Package | Constraint |
|---|---|
| composer/semver | ^1.0\|^2.0\|^3.0 |
| ext-json | * |
| ext-pcre | * |
| ext-xml | * |
| guzzlehttp/guzzle | ^6.0\|^7.0 |
| magento/framework | ^102.0\|^103.0 |
| magento/module-catalog | ^103.0\|^104.0 |
| magento/module-customer | ^103.0 |
| nikic/php-parser | ^3.0\|^4.0\|^5.0 |
| php | ^7.4\|^8.1 |
| symfony/finder | ^3.0\|^4.0\|^5.0\|^6.0\|^7.0 |

### Require (dev)

| Package | Constraint |
|---|---|
| yireo/magento2-integration-test-helper | ~0.0.13 |

## Quality

Latest release (2.5.13) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Fail | 205 | 2 errors, 203 warnings (ruleset: Magento2) — 16 auto-fixable with phpcbf |
| PHPMD | Warning | 14 | 14 rule violations (EmptyCatchBlock:7, UnusedLocalVariable:2, UnusedFormalParameter:1, MissingImport:1, ExcessiveClassComplexity:1) |
| Cpd | Pass | 0 |  |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 6 | 6 | – | – |
| 2.4.8 | – | 6 | 6 | – |
| 2.4.9 | – | – | 6 | 6 |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Error | Error | – | – |
| 2.4.8 | – | Error | Error | – |
| 2.4.9 | – | – | Error | not tested |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["yireo/magento2-extensionchecker"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

yireo is a Magento 2 vendor on Packagento. See https://packagento.com/yireo.md for their full catalogue.

