Using composer correctly (confoo)

Transcript

1. using correctly
   

   View Slide

2. @igorwhiletrue
   

   View Slide

3. View Slide

4. that’s me!!!!!!
   

   View Slide

5. this thing
   

   View Slide

6. #composer on
   irc.freenode.net
   

   View Slide

7. Crash course
   

   View Slide

8. • dependency manager for PHP since 2011
   
   • inspired by bundler and npm
   
   • manages dependencies per-project
   
   • what’s wrong with PEAR? everything.
   

   View Slide

9. # composer.json
   {
   "require": {
   "silex/silex": "~1.1"
   }
   }
   

   View Slide

10. $ composer install
    

    View Slide

11. View Slide

12. • disclaimer
    
    • “best practices”
    
    • these are my opinions
    
    • composer is not perfect, many things can
    be improved, please make tickets
    
    • actually, send pull requests
    

    View Slide

13. It’s about the ecosystem
    

    View Slide

14. User designed by Wilson Joseph from the Noun Project
    maintainer consumer
    

    View Slide

15. Tag releases
    

    View Slide

16. • tracking a moving target is really hard
    
    • dev-master can change at any time
    
    • including public APIs
    
    • change cannot be avoided, but at least
    document it
    
    • bonus: downloading zips is faster and
    composer caches them
    

    View Slide

17. # CHANGELOG.md
    !
    ### 1.0.1 (2014-01-09)
    !
    * Bugfix: off-by-one error
    !
    ### 1.0.0 (2014-01-08)
    !
    * Initial release
    

    View Slide

18. $ git tag v1.0.1
    

    View Slide

19. Semantic versioning
    

    View Slide

20. View Slide

21. • Major: API breaks
    
    • Minor: Features
    
    • Patch: Bugfixes
    

    View Slide

22. • meaningful versions that describe change
    
    • declare a public API and never break it
    
    • 0.x is free-for-all, so stabilise as soon as
    possible
    
    • there is no shame in v2.0.0
    

    View Slide

23. Tilde operator
    

    View Slide

24. ~1.1
    

    View Slide

25. ~1.1
    >=1.1,<2.0
    

    View Slide

26. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0
    

    View Slide

27. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0
    

    View Slide

28. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0
    selected
    
    range
    missing
    
    features
    BC
    
    break
    

    View Slide

29. • why not use *
    
    • it matches anything
    
    • you will get unexpected versions of
    packages and BC breaks
    
    • it makes composer slow (much larger
    search space)
    
    • also: branch-alias is good
    

    View Slide

30. Security
    

    View Slide

31. • root package (user) has full control
    
    • lol security fail
    
    • replace (fixed now)
    
    • custom installers
    
    • no signed packages
    
    • tls peer verification hard (wip)
    

    View Slide

32. Stability
    

    View Slide

33. "minimum-stability": "stable"
    

    View Slide

34. "require": {
    "silex/silex": "[email protected]"
    }
    

    View Slide

35. "require": {
    "foo/bar": "@dev"
    }
    

    View Slide

36. "require": {
    "foo/bar": "@dev"
    }
    

    View Slide

37. • specifying stability is annoying
    
    • => encourages tagging releases
    
    • get tagged versions
    
    • get cached zips
    

    View Slide

38. Commit lock file
    

    View Slide

39. • install from URLs without resolving deps
    
    • much faster
    
    • ensure which version gets installed
    
    • track changes between prod versions
    

    View Slide

40. Only depend on what
    you need
    

    View Slide

41. "require": {
    "symfony/symfony": "~2.4",
    "zendframework/zendframework": "~2.2",
    "laravel/framework": "~4.1",
    "yiisoft/yii": "dev-master"
    }
    

    View Slide

42. • infectious
    
    • large packages… slow
    
    • needless dependencies
    
    • security review becomes tedious
    

    View Slide

43. Do not mess with the
    vendor dir
    

    View Slide

44. How to mess with
    vendor
    • custom installers (plugins)
    
    • custom autoloader
    
    • scripts
    

    View Slide

45. Absolutely do not
    

    View Slide

46. Absolutely do not
    • publish bugfix forks on packagist
    
    • use existing vendor names
    
    • delete tags
    

    View Slide

47. Development workflow
    

    View Slide

48. • found a bug in a lib? fix it locally.
    
    • make changes in vendor
    
    • test in context of your project
    
    • cd into vendor/foo/bar
    
    • fork on github, make branch, add git
    remote, send pull request
    

    View Slide

49. Package Structure
    

    View Slide

50. • autoloading: psr-0 vs psr-4 vs files
    
    • value of coding standards?
    
    • where to put tests?
    
    • is composer global a good idea?
    
    • composer is not a build tool
    
    • functions in php
    
    • component libraries
    
    • npm instability
    

    View Slide

51. Debugging
    

    View Slide

52. $ composer install
    Loading composer repositories with package information
    Installing dependencies (including require-dev)
    Your requirements could not be resolved to an installable set of packages.
    !
    Problem 1
    - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - Conclusion: don't install illuminate/routing v4.1.16
    - Conclusion: don't install illuminate/routing v4.1.22
    - Conclusion: don't install illuminate/routing v4.1.21
    - Conclusion: don't install illuminate/routing v4.1.15
    - Conclusion: don't install illuminate/routing v4.1.14
    - Conclusion: don't install illuminate/routing v4.1.13
    - Conclusion: don't install illuminate/routing v4.1.12
    - Conclusion: don't install illuminate/routing v4.1.11
    - Conclusion: don't install illuminate/routing v4.1.10
    - Conclusion: don't install illuminate/routing v4.1.9
    - Conclusion: don't install illuminate/routing v4.1.8
    - Conclusion: don't install illuminate/routing v4.1.7
    - Conclusion: don't install illuminate/routing v4.1.6
    - Conclusion: don't install illuminate/routing v4.1.5
    - Conclusion: don't install illuminate/routing v4.1.4
    - Conclusion: don't install illuminate/routing v4.1.3
    - Conclusion: don't install illuminate/routing v4.1.2
    - Conclusion: don't install illuminate/routing v4.1.1
    - Conclusion: don't install symfony/http-foundation v2.4.2
    - Conclusion: don't install illuminate/routing v4.1.20
    - Conclusion: don't install symfony/http-foundation v2.4.1
    - Conclusion: don't install illuminate/routing v4.1.19
    - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2].
    - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - Conclusion: don't install symfony/http-foundation v2.4.0
    - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14,
    v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/
    framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,
    

    View Slide

53. • Does the package name exist?
    
    • Is it available in the desired stability?
    
    • Are there conflicting constraints?
    

    View Slide

54. {
    "require": {
    "silex/silex": "1.0.*",
    "illuminate/routing": "4.1.*"
    }
    }
    

    View Slide

55. {
    "require": {
    "silex/silex": "~1.0",
    "illuminate/routing": "~4.1"
    }
    }
    

    View Slide

56. If all else fails
    • composer self-update
    
    • rm -rf composer.lock vendor && composer
    install
    
    • rm -rf ~/.composer/cache
    

    View Slide

57. Performance
    

    View Slide

58. • Tagged releases, lock file
    
    • Run on host (not in VM)
    
    • Disable xdebug
    
    • Use HHVM?
    

    View Slide

59. Deployment
    

    View Slide

60. • do not run composer update as part of
    your deployment
    
    • composer is not a build tool
    
    • use make, phing, ant, grunt
    
    • composer is not a deploy tool
    
    • use fabric, capistrano, rsync
    

    View Slide

61. Security Review
    

    View Slide

62. • responsibility for what we ship
    
    • includes third party deps
    
    • we should be reading the source
    
    • understand your code base, fix bugs
    

    View Slide

63. Conclusion
    

    View Slide

64. • Improve the stability and performance of
    your own projects
    
    • Improve the stability and quality of the
    entire ecosystem at the same time
    
    • Demand stability from the maintainers of
    the packages you use
    

    View Slide

65. • Semantic Versioning
    • Tilde Operator
    • Tag Releases
    

    View Slide

66. Questions?
    @igorwhiletrue
    
    igor.io
    
    semver.org
    
    getcomposer.org
    

    View Slide