Private or Commercial WordPress Plugins as Composer Dependencies

In case it’s of help to anyone else, I was able to resolve my issue as follows. I’ll note that I thought I would have to create my own private GitHub repository for the plugin I wanted to include as a dependency because I thought it was private, but it turned out that the plugin has its own public GitHub repository, and so I’m not sure if the resolution here would help with a private dependency (it might!).

Thanks to Daggerhart Lab for providing this guide, which set me on the right track. Essentially, I was able to include this buddyboss-platform WordPress plugin as a dependency in a local WordPress installation using default Bedrock even though the plugin already has a composer.json file in its own root by treating it as a “package” of “type” wordpress-plugin. I’ll post the relevant part of my local composer.json below so you can see how it worked following Daggerhart’s guide.

  "repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org",
      "only": ["wpackagist-plugin/*", "wpackagist-theme/*"]
    },
    {
      "type": "package",
      "package": {
        "name": "buddyboss/buddyboss-platform",
        "version": "2.2.7",
        "type": "wordpress-plugin",
        "source": {
          "url": "https://github.com/buddyboss/buddyboss-platform.git",
          "type": "git",
          "reference": "2.2.7"
        }
      }
    }
  ],
  "require": {
    "php": ">=7.4",
    "composer/installers": "^2.2",
    "vlucas/phpdotenv": "^5.5",
    "oscarotero/env": "^2.1",
    "roots/bedrock-autoloader": "^1.0",
    "roots/bedrock-disallow-indexing": "^2.0",
    "roots/wordpress": "6.1.1",
    "roots/wp-config": "1.0.0",
    "roots/wp-password-bcrypt": "1.1.0",
    "wpackagist-theme/twentytwentythree": "^1.0",
    "buddyboss/buddyboss-platform": "2.2.7"
  },