Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Composer: write a melody with your dependencies

Composer: write a melody with your dependencies

Composer is a tool for managing dependencies in PHP: this talk starts from a basic introduction on what it is and goes through more advanced issues and solutions.

Antonello D'Ippolito

October 19, 2018
Tweet

More Decks by Antonello D'Ippolito

Other Decks in Technology

Transcript

  1. COMPOSER
    Write a melody
    with your
    dependencies

    View full-size slide

  2. Hi there!
    I’m Antonello D’Ippolito
    Tech lead @
    Member of PUG Roma
    Musician and “composer”
    Twitter, GitHub: @antodippo
    2

    View full-size slide

  3. Composer is a
    tool for
    dependency
    management in
    PHP
    3

    View full-size slide

  4. Composer is
    not just
    > composer install
    4

    View full-size slide

  5. What Composer does
    If you
    ✗ Have a PHP project
    ✗ Have PHP libraries your project depends on
    ✗ Have PHP libraries depending on other libraries
    Composer will
    ✗ Enable you to declare your dependencies
    ✗ Automatically download and install them
    ✗ Constantly manage them
    5

    View full-size slide

  6. 6
    Why dependencies matters
    An example of a medium Symfony3
    application:
    ✗ Lines of code of src directory:
    73.426
    ✗ Lines of code of vendor directory:
    855.742

    View full-size slide

  7. Actually,
    Composer
    is not
    a “composer”
    7

    View full-size slide

  8. 8
    https://github.com/composer/getcomposer.org/issues/36

    View full-size slide

  9. Dependencies
    and
    commands

    View full-size slide

  10. 11
    composer.json
    ✗ Is where all dependencies are
    defined
    ✗ Contains also info about the
    project or library
    ✗ You can create it manually or with
    composer init command
    (recommended)

    View full-size slide

  11. composer require vendor/package:1.*
    composer remove vendor/package
    composer update vendor/package
    composer update
    composer install
    12
    Basic commands

    View full-size slide

  12. 13
    composer.lock
    ✗ Is generated automatically with
    composer update or
    composer install commands
    ✗ Is where the exact version of every
    package is “locked”, together with
    its download location

    View full-size slide

  13. Install or update?
    composer install
    will:
    ✗ Check if a composer.lock exists
    ✗ If not, perform a composer
    update to create one
    ✗ If composer.lock exists, install
    the specified versions from the lock
    file
    composer update
    will:
    ✗ Check composer.json
    ✗ Determine the latest versions to
    install based on your version specs
    ✗ Install the latest versions
    ✗ Update composer.lock to reflect
    the latest versions installed
    14

    View full-size slide

  14. Installing a dependency
    15
    When you run composer install and it founds new
    dependency to install, it will:
    ✗ Download the package from remote repository
    ✗ Copy it into your /vendor folder
    ✗ Generate (or update) the
    /vendor/autoload.php
    file, so that you can just include it in your files

    View full-size slide

  15. Constraints
    and
    semantic versioning

    View full-size slide

  16. It’s a formal convention for specifying compatibility in
    versions numbers.
    In a MAJOR.MINOR.PATCH format, increment :
    ✗ MAJOR version when you make incompatible API
    changes
    ✗ MINOR version when you add functionality in a
    backwards-compatible manner
    ✗ PATCH version when you make backwards-compatible
    bug fixes.
    Semantic versioning
    17
    More on https://semver.org

    View full-size slide

  17. Version constraint and range
    ✗ Exact version constraint:
    1.0.2
    ✗ Version range, with comparison operators:
    >=1.0 greater than or equal to 1.0
    ✗ Version range, with comparison and logical operators:
    >=1.0 <1.1 || >=1.2 (greater than or equal to 1.0 AND less than 1.1) OR
    (greater than or equal to 1.2)
    ✗ Hyphenated (-) version range:
    1.0 - 2.0 greater than or equal to 1.0.0 AND less than 2.1
    18

    View full-size slide

  18. Version constraint and range
    ✗ Wildcard (*) version range:
    1.0.* greater than 1.0 AND less than 1.1
    ✗ Tilde (~) version range:
    ~1.2 greater than or equal to 1.2 AND less than 2.0.0
    ~1.2.3 greater than or equal to 1.2.3 AND less than 1.3.0
    (It works well with packages respecting semantic versioning)
    ✗ Caret (^) version range:
    ^1.2.3 greater than or equal to 1.2 AND less than 2.0.0
    (It’s similar to ~ but it allows all non-breaking updates)
    19

    View full-size slide

  19. Stability flags
    ✗ -stable, -dev, ecc… suffix specifies the stability
    ✗ minimum-stability field defines default stability flag:
    it can be dev, alpha, beta, RC or stable
    ✗ If you don’t specify a stability flag, Composer does it transparently:
    ✗ 1.2.3 become =1.2.3.0-stable
    ✗ >1.2 become >1.2.0.0-stable
    ✗ >=1.2 become >=1.2.0.0-dev
    ✗ <1.3 become <1.3.0.0-dev
    20

    View full-size slide

  20. 21
    https://semver.mwl.be

    View full-size slide

  21. composer.lock:
    versioning and
    conflicts

    View full-size slide

  22. Why version composer.lock?
    ✗ To share the same dependencies versions between
    all members of team
    ✗ To have the same dependencies versions of
    production environment
    ✗ For faster deploys (updates are slow)
    But there will be problems with...
    23

    View full-size slide

  23. 24
    CONFLICTS!

    View full-size slide

  24. Conflicts with composer.lock
    25
    MASTER branch
    Requires beer:1.0
    Requires whiskey:1.0
    Updates beer:1.1 -> water:1.0
    FEATURE branch
    Has beer:1.0 and whiskey:1.0
    Updates whiskey:1.1 -> water:2.0
    water:1.0 vs water:2.0

    View full-size slide

  25. Conflicts with composer.lock
    NOT SAFE
    Solve conflicts on .json
    Accept “your” or “their” .lock
    Run composer install
    NOT SAFE
    Solve conflicts on .json
    Delete .lock
    Run composer update
    SAFE
    Accept .json and .lock from
    origin
    Re-apply your changes
    26
    To solve conflicts with composer.lock you can:

    View full-size slide

  26. Conflict with composer.lock
    ✗ composer update is not safe: it changes directly
    version numbers, and EVERY package will be updated
    ✗ composer update vendor-name/package
    is quite safe: it changes just that package version
    ✗ composer install is safe: it adds just the new
    packages, it doesn’t change the others
    27
    http://naderman.de/slippy/slides/2017-11-16-SymfonyCon-composer-lock-demystified.pdf

    View full-size slide

  27. Bonus!
    Patching

    View full-size slide

  28. Problem with dependency
    When you find a bug, or need a modification
    You can fork and PR, but:
    ✗ your PR may not be merged
    ✗ if you switch on your fork, you won’t get
    automatic updates
    You can PATCH!
    29

    View full-size slide

  29. Patching with Composer
    A GIT patch is a commit converted into a file, that
    can be applied on a different repository
    With cweagans/composer-patches plugin you
    can automatically apply a GIT patch on a package
    30

    View full-size slide

  30. Patching with Composer
    31

    View full-size slide

  31. Repositories

    View full-size slide

  32. Where all packages
    come from?
    ✗ Packagist.org is the default
    repository for public packages, you
    can submit yours
    ✗ You can specify other repositories,
    public or private, under
    repositories section in your
    composer.json file
    33

    View full-size slide

  33. Packagist.org
    is the default Composer
    repository
    It lets you find packages and it
    knows where to download
    them
    34

    View full-size slide

  34. ✗ Number of maintainers
    ✗ Activity
    ✗ Installations number
    ✗ Host
    ✗ Tests
    ✗ Semantic versioning
    35
    How to choose a package

    View full-size slide

  35. ✗ Naming
    ✗ Composer.json
    ✗ Version tags
    ✗ packagist.org/packages/submit
    36
    How to submit a package

    View full-size slide

  36. 37
    How Composer works with Packagist
    Resolve
    dependencies
    Download
    packages
    Private
    server

    View full-size slide

  37. Availability problems
    38
    What if Packagist.org is down?
    What if GitHub or other sources are down?
    ✗ Composer cache
    ✗ Fork every dependency
    ✗ Satis
    ✗ Self hosted, Packagist like repository
    ✗ Private Packagist

    View full-size slide

  38. Private Packagist
    ✗ Commercial SaaS solution
    ✗ Mirrors your public and private packages
    ✗ Configurable with your composer.json
    ✗ Just put it in your repositories section in
    composer.json
    ✗ License review
    39
    https://packagist.com

    View full-size slide

  39. What if
    Private Packagist
    is down too?
    43
    Well…
    ...let’s find another job

    View full-size slide

  40. “Let's be honest: #ComposerPHP was the
    single largest contributor to the #PHP
    renaissance and modern PHP ecosystem.
    @seldaek and @naderman are heroes of our
    community. (And everyone else that's
    worked on Composer.) Thank you!“
    44

    View full-size slide

  41. 45
    Thanks!
    > composer require
    audience/questions
    These slides are free to use under
    Creative Commons Attribution license
    Presentation template by SlidesCarnival

    View full-size slide

  42. 46
    Leave a feedback on
    https://joind.in/talk/56ae8

    View full-size slide