[dependencies] Consolidate on composer-dependency-analyser (#135) (#136)

* [dependencies] Consolidate on composer-dependency-analyser (#135)

* Update wiki submodule pointer for PR #136

* [dependencies] Add dump usage passthrough support (#135)

* [dependencies] Reuse packaged analyser config (#135)

* Update wiki submodule pointer for PR #136

* [dependencies] Detect packaged analyser context safely (#135)

* Update wiki submodule pointer for PR #136

* [dependencies] Support report-only outdated threshold (#135)

* [dependencies] Update max-outdated default value to -1 and remove run-dependencies-check input

Signed-off-by: Felipe Sayão Lobato Abreu <github@mentordosnerds.com>

---------

Signed-off-by: Felipe Sayão Lobato Abreu <github@mentordosnerds.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

Author: coisa

.github/wiki

@@ -8,33 +8,23 @@ on:
                 required: false
                 type: number
                 default: 80
-            run-dependencies-check:
-                description: Whether to run the dependency health check during CI.
-                required: false
-                type: boolean
-                default: true
             max-outdated:
                 description: Maximum number of outdated packages allowed by the dependencies command.
                 required: false
                 type: number
-                default: 5
+                default: -1
     workflow_dispatch:
         inputs:
             min-coverage:
                 description: Minimum line coverage percentage enforced by dev-tools tests.
                 required: false
                 type: number
                 default: 80
-            run-dependencies-check:
-                description: Whether to run the dependency health check during CI.
-                required: false
-                type: boolean
-                default: true
             max-outdated:
                 description: Maximum number of outdated packages allowed by the dependencies command.
                 required: false
                 type: number
-                default: 5
+                default: -1
     pull_request:
         paths:
           - 'src/**'
@@ -126,9 +116,7 @@ jobs:
     dependency-health:
         needs: resolve_php
         name: Dependency Health
-        if: ${{ github.event_name != 'workflow_call' || inputs.run-dependencies-check }}
         runs-on: ubuntu-latest
-        continue-on-error: true
         env:
             TESTS_ROOT_VERSION: ${{ github.event_name == 'pull_request' && format('dev-{0}', github.event.pull_request.head.ref) || 'dev-main' }}
             FORCE_COLOR: '1'
@@ -162,4 +150,4 @@ jobs:
             - name: Run dependency health check
               env:
                 COMPOSER_ROOT_VERSION: ${{ env.TESTS_ROOT_VERSION }}
-              run: composer dev-tools dependencies -- --max-outdated=${{ inputs.max-outdated || 5 }}
+              run: composer dev-tools dependencies -- --max-outdated=${{ inputs.max-outdated || -1 }}

.github/workflows/tests.yml

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Consolidate dependency analysis on `composer-dependency-analyser`, add a reusable packaged analyzer config, remove the redundant `composer-unused` dependency, and expose `--dump-usage` plus report-only `--max-outdated=-1` support (#135)
+
 ## [1.14.0] - 2026-04-20
 
 ### Added

CHANGELOG.md

@@ -60,10 +60,12 @@ You can also run individual commands for specific development tasks:
 # Run PHPUnit tests
 composer dev-tools tests
 
-# Analyze missing, unused, and outdated Composer dependencies
+# Analyze missing, unused, misplaced, and outdated Composer dependencies
 composer dependencies
 composer dependencies --max-outdated=8
+composer dependencies --max-outdated=-1
 composer dependencies --dev
+composer dependencies --dump-usage=symfony/console
 composer dependencies --upgrade --dev
 
 # Analyze code metrics with PhpMetrics

README.md

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Fast Forward Development Tools for PHP projects.
+ *
+ * This file is part of fast-forward/dev-tools project.
+ *
+ * @author   Felipe Sayão Lobato Abreu <github@mentordosnerds.com>
+ * @license  https://opensource.org/licenses/MIT MIT License
+ *
+ * @see      https://github.com/php-fast-forward/
+ * @see      https://github.com/php-fast-forward/dev-tools
+ * @see      https://github.com/php-fast-forward/dev-tools/issues
+ * @see      https://php-fast-forward.github.io/dev-tools/
+ * @see      https://datatracker.ietf.org/doc/html/rfc2119
+ */
+
+use FastForward\DevTools\Config\ComposerDependencyAnalyserConfig;
+
+return ComposerDependencyAnalyserConfig::configure();

composer-dependency-analyser.php

@@ -49,7 +49,6 @@
         "fakerphp/faker": "^1.24",
         "fast-forward/phpdoc-bootstrap-template": "^2.0",
         "friendsofphp/php-cs-fixer": "^3.95",
-        "icanhazstring/composer-unused": "^0.9.6",
         "jolicode/jolinotif": "^3.3",
         "nikic/php-parser": "^5.7",
         "php-di/php-di": "^7.1",
@@ -68,7 +67,7 @@
         "rector/jack": "^0.5",
         "rector/rector": "^2.4",
         "saggre/phpdocumentor-markdown": "^1.0",
-        "sebastian/diff": "^7.0",
+        "sebastian/diff": "^7.0 || ^8.0",
         "shipmonk/composer-dependency-analyser": "^1.8.4",
         "symfony/config": "^7.4 || ^8.0",
         "symfony/console": "^7.4 || ^8.0",

composer.json

@@ -47,7 +47,7 @@ subprocess execution is needed.
      - Runs PHPUnit with optional coverage output.
    * - ``FastForward\DevTools\Console\Command\DependenciesCommand``
      - ``dependencies``
-     - Reports missing, unused, and outdated Composer dependencies.
+     - Reports missing, unused, misplaced, and outdated Composer dependencies.
    * - ``FastForward\DevTools\Console\Command\MetricsCommand``
      - ``metrics``
      - Builds the PhpMetrics site and JSON artifacts for the current project.

docs/api/commands.rst

@@ -1,16 +1,15 @@
 dependencies
 =============
 
-Analyzes missing, unused, and outdated Composer dependencies.
+Analyzes missing, unused, misplaced, and outdated Composer dependencies.
 
 Description
 -----------
 
-The ``dependencies`` command (alias: ``deps``) analyzes missing, unused, and
-overly outdated Composer dependencies using three tools:
+The ``dependencies`` command (alias: ``deps``) analyzes missing, unused,
+misplaced, and overly outdated Composer dependencies using two tools:
 
-- ``composer-unused`` - detects unused packages
-- ``composer-dependency-analyser`` - detects missing packages
+- ``composer-dependency-analyser`` - detects missing, unused, and misplaced packages
 - ``jack breakpoint`` - fails when too many outdated packages accumulate
 
 These analyzers ship as direct dependencies of ``fast-forward/dev-tools``, so
@@ -35,6 +34,9 @@ Options
 
    Default: ``5``.
 
+   Use ``-1`` to keep the outdated dependency report in the output while
+   ignoring Jack failures in the final command status.
+
 ``--upgrade`` (optional)
    Applies the Jack upgrade workflow before the analyzers:
 
@@ -49,6 +51,10 @@ Options
 ``--dev`` (optional)
    Prioritizes dev dependencies where Jack supports it.
 
+``--dump-usage=<package>`` (optional)
+   Asks ``composer-dependency-analyser`` to dump usages for the given package
+   or wildcard pattern and enables ``--show-all-usages`` automatically.
+
 Examples
 --------
 
@@ -64,12 +70,24 @@ Allow up to 10 outdated packages:
 
    composer dependencies --max-outdated=10
 
+Report outdated packages without failing on their count:
+
+.. code-block:: bash
+
+   composer dependencies --max-outdated=-1
+
 Preview the upgrade workflow:
 
 .. code-block:: bash
 
    composer dependencies --dev
 
+Dump all matched usages for one package:
+
+.. code-block:: bash
+
+   composer dependencies --dump-usage=symfony/console
+
 Apply the upgrade workflow and then analyze dependencies:
 
 .. code-block:: bash
@@ -91,7 +109,7 @@ Exit Codes
    * - Code
      - Meaning
    * - 0
-     - Success. No missing, unused, or excessive outdated dependencies.
+     - Success. No missing, unused, misplaced, or excessive outdated dependencies.
    * - 1
      - Failure. A dependency analyzer or Jack reported findings or errors.
 
@@ -100,14 +118,22 @@ Behavior
 
 - Always previews or applies ``jack raise-to-installed`` first and then
   ``jack open-versions`` before running the analyzers.
-- Runs ``composer-unused``, ``composer-dependency-analyser``, and
-  ``jack breakpoint`` after the Jack preview or upgrade phase.
+- Runs ``composer-dependency-analyser`` and ``jack breakpoint`` after the Jack
+  preview or upgrade phase.
 - ``composer-dependency-analyser`` is configured with:
-  - ``--ignore-unused-deps`` (leaves unused detection to ``composer-unused``)
-  - ``--ignore-prod-only-in-dev-deps`` (ignores dev-only usage in production code)
+  - ``--config composer-dependency-analyser.php`` (resolved through the package
+    file locator so consumer repositories can override it locally)
+  - the packaged ``composer-dependency-analyser.php`` delegates to
+    ``FastForward\DevTools\Config\ComposerDependencyAnalyserConfig`` so
+    consumer repositories can extend the baseline instead of copying it whole
+  - ``--dump-usages <package>`` and ``--show-all-usages`` when ``--dump-usage``
+    is passed to the DevTools command
 - ``jack breakpoint`` maps ``--max-outdated`` to Jack's ``--limit`` option.
+- ``--max-outdated=-1`` keeps ``jack breakpoint`` in the workflow for reporting,
+  but its failure is ignored so only missing or unused dependency findings fail
+  the command.
 - ``--upgrade`` applies Jack's ``raise-to-installed`` and ``open-versions``
   commands before ``composer update -W`` and ``composer normalize``.
-- Returns a non-zero exit code when missing, unused, or too many outdated
-  dependencies are found.
-- All three tools must be available in ``vendor/bin/``.
+- Returns a non-zero exit code when missing, unused, misplaced, or too many
+  outdated dependencies are found.
+- Both tools must be available in ``vendor/bin/``.

docs/commands/dependencies.rst

@@ -35,6 +35,9 @@ Commands and Their Configuration Files
    * - ``tests``
      - ``phpunit.xml``
      - Falls back to the packaged PHPUnit configuration.
+   * - ``dependencies``
+     - ``composer-dependency-analyser.php``
+     - Falls back to the packaged Composer Dependency Analyser configuration.
    * - ``phpdoc``
      - ``.php-cs-fixer.dist.php`` and ``rector.php``
      - Falls back to the packaged files; ``.docheader`` is created locally
@@ -111,6 +114,33 @@ This approach:
 - Automatically receives upstream updates
 - Only requires overriding what is needed
 
+Extending Composer Dependency Analyser Configuration
+----------------------------------------------------
+
+Instead of copying the entire ``composer-dependency-analyser.php`` file,
+consumers can extend the default configuration using the
+``ComposerDependencyAnalyserConfig`` class:
+
+.. code-block:: php
+
+   <?php
+
+   use FastForward\DevTools\Config\ComposerDependencyAnalyserConfig;
+   use ShipMonk\ComposerDependencyAnalyser\Config\Configuration;
+   use ShipMonk\ComposerDependencyAnalyser\Config\ErrorType;
+
+   return ComposerDependencyAnalyserConfig::configure(
+       static function (Configuration $configuration): void {
+           $configuration->ignoreErrorsOnPackage(
+               'vendor/package',
+               [ErrorType::UNUSED_DEPENDENCY],
+           );
+       }
+   );
+
+This approach keeps the Fast Forward baseline while letting consumer
+repositories add project-specific ignores or scan rules.
+
 What Is Not Overwritten Automatically
 --------------------------------------
 

docs/configuration/overriding-defaults.rst

@@ -142,6 +142,30 @@ Use the ``RectorConfig`` class to extend instead of replace:
 
 This approach automatically receives upstream updates while allowing additive customization.
 
+How do I extend the dependency analyser configuration without copying the whole file?
+-------------------------------------------------------------------------------------
+
+Use the ``ComposerDependencyAnalyserConfig`` class to extend instead of replace:
+
+.. code-block:: php
+
+   <?php
+
+   use FastForward\DevTools\Config\ComposerDependencyAnalyserConfig;
+   use ShipMonk\ComposerDependencyAnalyser\Config\Configuration;
+   use ShipMonk\ComposerDependencyAnalyser\Config\ErrorType;
+
+   return ComposerDependencyAnalyserConfig::configure(
+       static function (Configuration $configuration): void {
+           $configuration->ignoreErrorsOnPackage(
+               'vendor/package',
+               [ErrorType::UNUSED_DEPENDENCY],
+           );
+       }
+   );
+
+This keeps the packaged baseline while allowing project-specific analyser ignores.
+
 Can I generate coverage without running the full ``standards`` pipeline?
 ------------------------------------------------------------------------