Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Composer: write a melody with your dependencies

Composer: write a melody with your dependencies

Composer is a tool for managing dependencies in PHP: this talk starts from a basic introduction on what it is and goes through more advanced issues and solutions.


Antonello D'Ippolito

October 19, 2018


  1. COMPOSER Write a melody with your dependencies

  2. Hi there! I’m Antonello D’Ippolito Tech lead @ Member of

    PUG Roma Musician and “composer” Twitter, GitHub: @antodippo 2
  3. Composer is a tool for dependency management in PHP 3

  4. Composer is not just > composer install 4

  5. What Composer does If you ✗ Have a PHP project

    ✗ Have PHP libraries your project depends on ✗ Have PHP libraries depending on other libraries Composer will ✗ Enable you to declare your dependencies ✗ Automatically download and install them ✗ Constantly manage them 5
  6. 6 Why dependencies matters An example of a medium Symfony3

    application: ✗ Lines of code of src directory: 73.426 ✗ Lines of code of vendor directory: 855.742
  7. Actually, Composer is not a “composer” 7

  8. 8 https://github.com/composer/getcomposer.org/issues/36

  9. 9

  10. Dependencies and commands

  11. 11 composer.json ✗ Is where all dependencies are defined ✗

    Contains also info about the project or library ✗ You can create it manually or with composer init command (recommended)
  12. composer require vendor/package:1.* composer remove vendor/package composer update vendor/package composer

    update composer install 12 Basic commands
  13. 13 composer.lock ✗ Is generated automatically with composer update or

    composer install commands ✗ Is where the exact version of every package is “locked”, together with its download location
  14. Install or update? composer install will: ✗ Check if a

    composer.lock exists ✗ If not, perform a composer update to create one ✗ If composer.lock exists, install the specified versions from the lock file composer update will: ✗ Check composer.json ✗ Determine the latest versions to install based on your version specs ✗ Install the latest versions ✗ Update composer.lock to reflect the latest versions installed 14
  15. Installing a dependency 15 When you run composer install and

    it founds new dependency to install, it will: ✗ Download the package from remote repository ✗ Copy it into your <project dir>/vendor folder ✗ Generate (or update) the <project dir>/vendor/autoload.php file, so that you can just include it in your files
  16. Constraints and semantic versioning

  17. It’s a formal convention for specifying compatibility in versions numbers.

    In a MAJOR.MINOR.PATCH format, increment : ✗ MAJOR version when you make incompatible API changes ✗ MINOR version when you add functionality in a backwards-compatible manner ✗ PATCH version when you make backwards-compatible bug fixes. Semantic versioning 17 More on https://semver.org
  18. Version constraint and range ✗ Exact version constraint: 1.0.2 ✗

    Version range, with comparison operators: >=1.0 greater than or equal to 1.0 ✗ Version range, with comparison and logical operators: >=1.0 <1.1 || >=1.2 (greater than or equal to 1.0 AND less than 1.1) OR (greater than or equal to 1.2) ✗ Hyphenated (-) version range: 1.0 - 2.0 greater than or equal to 1.0.0 AND less than 2.1 18
  19. Version constraint and range ✗ Wildcard (*) version range: 1.0.*

    greater than 1.0 AND less than 1.1 ✗ Tilde (~) version range: ~1.2 greater than or equal to 1.2 AND less than 2.0.0 ~1.2.3 greater than or equal to 1.2.3 AND less than 1.3.0 (It works well with packages respecting semantic versioning) ✗ Caret (^) version range: ^1.2.3 greater than or equal to 1.2 AND less than 2.0.0 (It’s similar to ~ but it allows all non-breaking updates) 19
  20. Stability flags ✗ -stable, -dev, ecc… suffix specifies the stability

    ✗ minimum-stability field defines default stability flag: it can be dev, alpha, beta, RC or stable ✗ If you don’t specify a stability flag, Composer does it transparently: ✗ 1.2.3 become = ✗ >1.2 become > ✗ >=1.2 become >= ✗ <1.3 become < 20
  21. 21 https://semver.mwl.be

  22. composer.lock: versioning and conflicts

  23. Why version composer.lock? ✗ To share the same dependencies versions

    between all members of team ✗ To have the same dependencies versions of production environment ✗ For faster deploys (updates are slow) But there will be problems with... 23
  24. 24 CONFLICTS!

  25. Conflicts with composer.lock 25 MASTER branch Requires beer:1.0 Requires whiskey:1.0

    Updates beer:1.1 -> water:1.0 FEATURE branch Has beer:1.0 and whiskey:1.0 Updates whiskey:1.1 -> water:2.0 water:1.0 vs water:2.0
  26. Conflicts with composer.lock NOT SAFE Solve conflicts on .json Accept

    “your” or “their” .lock Run composer install NOT SAFE Solve conflicts on .json Delete .lock Run composer update SAFE Accept .json and .lock from origin Re-apply your changes 26 To solve conflicts with composer.lock you can:
  27. Conflict with composer.lock ✗ composer update is not safe: it

    changes directly version numbers, and EVERY package will be updated ✗ composer update vendor-name/package is quite safe: it changes just that package version ✗ composer install is safe: it adds just the new packages, it doesn’t change the others 27 http://naderman.de/slippy/slides/2017-11-16-SymfonyCon-composer-lock-demystified.pdf
  28. Bonus! Patching

  29. Problem with dependency When you find a bug, or need

    a modification You can fork and PR, but: ✗ your PR may not be merged ✗ if you switch on your fork, you won’t get automatic updates You can PATCH! 29
  30. Patching with Composer A GIT patch is a commit converted

    into a file, that can be applied on a different repository With cweagans/composer-patches plugin you can automatically apply a GIT patch on a package 30
  31. Patching with Composer 31

  32. Repositories

  33. Where all packages come from? ✗ Packagist.org is the default

    repository for public packages, you can submit yours ✗ You can specify other repositories, public or private, under repositories section in your composer.json file 33
  34. Packagist.org is the default Composer repository It lets you find

    packages and it knows where to download them 34
  35. ✗ Number of maintainers ✗ Activity ✗ Installations number ✗

    Host ✗ Tests ✗ Semantic versioning 35 How to choose a package
  36. ✗ Naming ✗ Composer.json ✗ Version tags ✗ packagist.org/packages/submit 36

    How to submit a package
  37. 37 How Composer works with Packagist Resolve dependencies Download packages

    Private server
  38. Availability problems 38 What if Packagist.org is down? What if

    GitHub or other sources are down? ✗ Composer cache ✗ Fork every dependency ✗ Satis ✗ Self hosted, Packagist like repository ✗ Private Packagist
  39. Private Packagist ✗ Commercial SaaS solution ✗ Mirrors your public

    and private packages ✗ Configurable with your composer.json ✗ Just put it in your repositories section in composer.json ✗ License review 39 https://packagist.com
  40. 40

  41. 41

  42. 42

  43. What if Private Packagist is down too? 43 Well… ...let’s

    find another job
  44. “Let's be honest: #ComposerPHP was the single largest contributor to

    the #PHP renaissance and modern PHP ecosystem. @seldaek and @naderman are heroes of our community. (And everyone else that's worked on Composer.) Thank you!“ 44
  45. 45 Thanks! > composer require audience/questions These slides are free

    to use under Creative Commons Attribution license Presentation template by SlidesCarnival
  46. 46 Leave a feedback on https://joind.in/talk/56ae8