When "Key repositories is a duplicate in ./composer.json", which one is used by composer?

Question

I noticed I have duplicate 'repositories' keys in my composer.json for a package that I am developing.

The package is working. So, I would like to perform a 'refactoring' in the sense that I would like to fix the code without changing behavior.

If I want to fix the error, I will have to delete the duplicated key which is NOT being used.

So, the question is:

When "Key repositories is a duplicate in ./composer.json", which one is used by composer?

In other words,

• Does composer use the first key it finds and ignore the future keys?
• Does it ignore the former keys and use the last key that it finds?, or
• Does it merge the keys' child items in some clever way?

This is the command I am running:

$ composer validate
Key repositories is a duplicate in ./composer.json at line 16
...

The composer.json looks something like this:

{
  "name": "foo/bar",
  "description": "foo bar",
  "license": "Apache-2.0",
  "type": "library",
  "repositories": [
    {"type": "composer", "url": "foo"},
    {"packagist.org": false}
  ],

  "repositories": [
    {
      "type": "vcs",
      "url": "bar"
    }
  ],

  ...
 }

Answer 1

Composer uses the seld/jsonlint to detect duplicate keys, but it uses json_decode to decode the JSON.

json_decode uses the last value it finds for a key:

>>> $json = '{"a":1,"a":10,"a":100}';
=> "{"a":1,"a":10,"a":100}"
>>> $decoded = json_decode($json)
=> {#3260
     +"a": 100,
   }
>>> $decoded->a
=> 100