Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using composer correctly (confoo)

Igor Wiedler
February 26, 2014

Using composer correctly (confoo)

Igor Wiedler

February 26, 2014
Tweet

More Decks by Igor Wiedler

Other Decks in Programming

Transcript

  1. using correctly

    View Slide

  2. @igorwhiletrue

    View Slide

  3. View Slide

  4. that’s me!!!!!!

    View Slide

  5. this thing

    View Slide

  6. #composer on
    irc.freenode.net

    View Slide

  7. Crash course

    View Slide

  8. • dependency manager for PHP since 2011

    • inspired by bundler and npm

    • manages dependencies per-project

    • what’s wrong with PEAR? everything.

    View Slide

  9. # composer.json
    {
    "require": {
    "silex/silex": "~1.1"
    }
    }

    View Slide

  10. $ composer install

    View Slide

  11. View Slide

  12. • disclaimer

    • “best practices”

    • these are my opinions

    • composer is not perfect, many things can
    be improved, please make tickets

    • actually, send pull requests

    View Slide

  13. It’s about the ecosystem

    View Slide

  14. User designed by Wilson Joseph from the Noun Project
    maintainer consumer

    View Slide

  15. Tag releases

    View Slide

  16. • tracking a moving target is really hard

    • dev-master can change at any time

    • including public APIs

    • change cannot be avoided, but at least
    document it

    • bonus: downloading zips is faster and
    composer caches them

    View Slide

  17. # CHANGELOG.md
    !
    ### 1.0.1 (2014-01-09)
    !
    * Bugfix: off-by-one error
    !
    ### 1.0.0 (2014-01-08)
    !
    * Initial release

    View Slide

  18. $ git tag v1.0.1

    View Slide

  19. Semantic versioning

    View Slide

  20. View Slide

  21. • Major: API breaks

    • Minor: Features

    • Patch: Bugfixes

    View Slide

  22. • meaningful versions that describe change

    • declare a public API and never break it

    • 0.x is free-for-all, so stabilise as soon as
    possible

    • there is no shame in v2.0.0

    View Slide

  23. Tilde operator

    View Slide

  24. ~1.1

    View Slide

  25. ~1.1
    >=1.1,<2.0

    View Slide

  26. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0

    View Slide

  27. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0

    View Slide

  28. 1.0.0
    1.0.1 1.0.2 1.0.3
    1.1.0
    1.1.1 1.1.2 1.1.3 1.1.4
    1.2.0
    1.2.1
    2.0.0
    selected

    range
    missing

    features
    BC

    break

    View Slide

  29. • why not use *

    • it matches anything

    • you will get unexpected versions of
    packages and BC breaks

    • it makes composer slow (much larger
    search space)

    • also: branch-alias is good

    View Slide

  30. Security

    View Slide

  31. • root package (user) has full control

    • lol security fail

    • replace (fixed now)

    • custom installers

    • no signed packages

    • tls peer verification hard (wip)

    View Slide

  32. Stability

    View Slide

  33. "minimum-stability": "stable"

    View Slide

  34. "require": {
    "silex/silex": "[email protected]"
    }

    View Slide

  35. "require": {
    "foo/bar": "@dev"
    }

    View Slide

  36. "require": {
    "foo/bar": "@dev"
    }

    View Slide

  37. • specifying stability is annoying

    • => encourages tagging releases

    • get tagged versions

    • get cached zips

    View Slide

  38. Commit lock file

    View Slide

  39. • install from URLs without resolving deps

    • much faster

    • ensure which version gets installed

    • track changes between prod versions

    View Slide

  40. Only depend on what
    you need

    View Slide

  41. "require": {
    "symfony/symfony": "~2.4",
    "zendframework/zendframework": "~2.2",
    "laravel/framework": "~4.1",
    "yiisoft/yii": "dev-master"
    }

    View Slide

  42. • infectious

    • large packages… slow

    • needless dependencies

    • security review becomes tedious

    View Slide

  43. Do not mess with the
    vendor dir

    View Slide

  44. How to mess with
    vendor
    • custom installers (plugins)

    • custom autoloader

    • scripts

    View Slide

  45. Absolutely do not

    View Slide

  46. Absolutely do not
    • publish bugfix forks on packagist

    • use existing vendor names

    • delete tags

    View Slide

  47. Development workflow

    View Slide

  48. • found a bug in a lib? fix it locally.

    • make changes in vendor

    • test in context of your project

    • cd into vendor/foo/bar

    • fork on github, make branch, add git
    remote, send pull request

    View Slide

  49. Package Structure

    View Slide

  50. • autoloading: psr-0 vs psr-4 vs files

    • value of coding standards?

    • where to put tests?

    • is composer global a good idea?

    • composer is not a build tool

    • functions in php

    • component libraries

    • npm instability

    View Slide

  51. Debugging

    View Slide

  52. $ composer install
    Loading composer repositories with package information
    Installing dependencies (including require-dev)
    Your requirements could not be resolved to an installable set of packages.
    !
    Problem 1
    - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found.
    - Conclusion: don't install illuminate/routing v4.1.16
    - Conclusion: don't install illuminate/routing v4.1.22
    - Conclusion: don't install illuminate/routing v4.1.21
    - Conclusion: don't install illuminate/routing v4.1.15
    - Conclusion: don't install illuminate/routing v4.1.14
    - Conclusion: don't install illuminate/routing v4.1.13
    - Conclusion: don't install illuminate/routing v4.1.12
    - Conclusion: don't install illuminate/routing v4.1.11
    - Conclusion: don't install illuminate/routing v4.1.10
    - Conclusion: don't install illuminate/routing v4.1.9
    - Conclusion: don't install illuminate/routing v4.1.8
    - Conclusion: don't install illuminate/routing v4.1.7
    - Conclusion: don't install illuminate/routing v4.1.6
    - Conclusion: don't install illuminate/routing v4.1.5
    - Conclusion: don't install illuminate/routing v4.1.4
    - Conclusion: don't install illuminate/routing v4.1.3
    - Conclusion: don't install illuminate/routing v4.1.2
    - Conclusion: don't install illuminate/routing v4.1.1
    - Conclusion: don't install symfony/http-foundation v2.4.2
    - Conclusion: don't install illuminate/routing v4.1.20
    - Conclusion: don't install symfony/http-foundation v2.4.1
    - Conclusion: don't install illuminate/routing v4.1.19
    - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2].
    - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2].
    - Conclusion: don't install symfony/http-foundation v2.4.0
    - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14,
    v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/
    framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,

    View Slide

  53. • Does the package name exist?

    • Is it available in the desired stability?

    • Are there conflicting constraints?

    View Slide

  54. {
    "require": {
    "silex/silex": "1.0.*",
    "illuminate/routing": "4.1.*"
    }
    }

    View Slide

  55. {
    "require": {
    "silex/silex": "~1.0",
    "illuminate/routing": "~4.1"
    }
    }

    View Slide

  56. If all else fails
    • composer self-update

    • rm -rf composer.lock vendor && composer
    install

    • rm -rf ~/.composer/cache

    View Slide

  57. Performance

    View Slide

  58. • Tagged releases, lock file

    • Run on host (not in VM)

    • Disable xdebug

    • Use HHVM?

    View Slide

  59. Deployment

    View Slide

  60. • do not run composer update as part of
    your deployment

    • composer is not a build tool

    • use make, phing, ant, grunt

    • composer is not a deploy tool

    • use fabric, capistrano, rsync

    View Slide

  61. Security Review

    View Slide

  62. • responsibility for what we ship

    • includes third party deps

    • we should be reading the source

    • understand your code base, fix bugs

    View Slide

  63. Conclusion

    View Slide

  64. • Improve the stability and performance of
    your own projects

    • Improve the stability and quality of the
    entire ecosystem at the same time

    • Demand stability from the maintainers of
    the packages you use

    View Slide

  65. • Semantic Versioning
    • Tilde Operator
    • Tag Releases

    View Slide

  66. Questions?
    @igorwhiletrue

    igor.io

    semver.org

    getcomposer.org

    View Slide