squizlabs/PHP_CodeSniffer - fails in Composer.phar

I think the composer.lock file needs to be updated. It keeps failing on:


I’ve considered simply deleting this line from composer.json & composer.lock, but I don’t know how necessary this file is.



Can you expand on what you are trying to do and how it fails.

Running composer install on a git clone of the Matomo repository works without an issue

I get a curl error 28 - connection timed out. Sometimes it asks for a token first. I’ve tried with my personal github token. No dice.

I also tried with the squizlabs/php_codesniffer removed from the composer json because that seemed to be the hangup. It just hung up on another codesniffer from another source.

Is there a way to download a matomo with the developer files already in place? The issues I’m having with composer (wrestling for 3 days) are a huge hangup. And I need to do some development in matomo.


Is there maybe some firewall in your internet connection that is blocking this specific request?

You could try composer install --no-dev or not only remove the "squizlabs/php_codesniffer": "^3.5", line, but also the composer.lock file to not install php_codesniffer at all.

So people who can’t connect out directly from their machine due to security cannot get a matomo dev instance?


I am not sure what the alternative is. If you can’t access the packagist repostory composer uses, you could try using a mirror of it: https://packagist.org/mirrors

But without access to download php libraries, it is hard to set up a development environment.


This makes Matomo dev hard for users in enterprise environments behind firewalls. I’d have the same problem with a mirror–against company policy. It’s the idea of a VM going out to a bunch of sites and bringing data back, rather than a single package that can be scanned.



So what would be a solution that would work in your company environment?

you could download the latest matomo.zip from https://builds.matomo.org/ and use the vendor/ directory and composer.json and composer.lock from there.


A solution would be a Matomo that has the files that composer provides bundled with it.