Using composer correctly (confoo)

A4b95be2145cc46f891707b6db9dd82d?s=47 Igor Wiedler
February 26, 2014

Using composer correctly (confoo)

A4b95be2145cc46f891707b6db9dd82d?s=128

Igor Wiedler

February 26, 2014
Tweet

Transcript

  1. using correctly

  2. @igorwhiletrue

  3. None
  4. that’s me!!!!!!

  5. this thing

  6. #composer on irc.freenode.net

  7. Crash course

  8. • dependency manager for PHP since 2011 • inspired by

    bundler and npm • manages dependencies per-project • what’s wrong with PEAR? everything.
  9. # composer.json { "require": { "silex/silex": "~1.1" } }

  10. $ composer install

  11. None
  12. • disclaimer • “best practices” • these are my opinions

    • composer is not perfect, many things can be improved, please make tickets • actually, send pull requests
  13. It’s about the ecosystem

  14. User designed by Wilson Joseph from the Noun Project maintainer

    consumer
  15. Tag releases

  16. • tracking a moving target is really hard • dev-master

    can change at any time • including public APIs • change cannot be avoided, but at least document it • bonus: downloading zips is faster and composer caches them
  17. # CHANGELOG.md ! ### 1.0.1 (2014-01-09) ! * Bugfix: off-by-one

    error ! ### 1.0.0 (2014-01-08) ! * Initial release
  18. $ git tag v1.0.1

  19. Semantic versioning

  20. None
  21. • Major: API breaks • Minor: Features • Patch: Bugfixes

  22. • meaningful versions that describe change • declare a public

    API and never break it • 0.x is free-for-all, so stabilise as soon as possible • there is no shame in v2.0.0
  23. Tilde operator

  24. ~1.1

  25. ~1.1 >=1.1,<2.0

  26. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0
  27. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0
  28. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0 selected range missing features BC break
  29. • why not use * • it matches anything •

    you will get unexpected versions of packages and BC breaks • it makes composer slow (much larger search space) • also: branch-alias is good
  30. Security

  31. • root package (user) has full control • lol security

    fail • replace (fixed now) • custom installers • no signed packages • tls peer verification hard (wip)
  32. Stability

  33. "minimum-stability": "stable"

  34. "require": { "silex/silex": "~1.2@dev" }

  35. "require": { "foo/bar": "@dev" }

  36. "require": { "foo/bar": "@dev" }

  37. • specifying stability is annoying • => encourages tagging releases

    • get tagged versions • get cached zips
  38. Commit lock file

  39. • install from URLs without resolving deps • much faster

    • ensure which version gets installed • track changes between prod versions
  40. Only depend on what you need

  41. "require": { "symfony/symfony": "~2.4", "zendframework/zendframework": "~2.2", "laravel/framework": "~4.1", "yiisoft/yii": "dev-master"

    }
  42. • infectious • large packages… slow • needless dependencies •

    security review becomes tedious
  43. Do not mess with the vendor dir

  44. How to mess with vendor • custom installers (plugins) •

    custom autoloader • scripts
  45. Absolutely do not

  46. Absolutely do not • publish bugfix forks on packagist •

    use existing vendor names • delete tags
  47. Development workflow

  48. • found a bug in a lib? fix it locally.

    • make changes in vendor • test in context of your project • cd into vendor/foo/bar • fork on github, make branch, add git remote, send pull request
  49. Package Structure

  50. • autoloading: psr-0 vs psr-4 vs files • value of

    coding standards? • where to put tests? • is composer global a good idea? • composer is not a build tool • functions in php • component libraries • npm instability
  51. Debugging

  52. $ composer install Loading composer repositories with package information Installing

    dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages. ! Problem 1 - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found. - Conclusion: don't install illuminate/routing v4.1.16 - Conclusion: don't install illuminate/routing v4.1.22 - Conclusion: don't install illuminate/routing v4.1.21 - Conclusion: don't install illuminate/routing v4.1.15 - Conclusion: don't install illuminate/routing v4.1.14 - Conclusion: don't install illuminate/routing v4.1.13 - Conclusion: don't install illuminate/routing v4.1.12 - Conclusion: don't install illuminate/routing v4.1.11 - Conclusion: don't install illuminate/routing v4.1.10 - Conclusion: don't install illuminate/routing v4.1.9 - Conclusion: don't install illuminate/routing v4.1.8 - Conclusion: don't install illuminate/routing v4.1.7 - Conclusion: don't install illuminate/routing v4.1.6 - Conclusion: don't install illuminate/routing v4.1.5 - Conclusion: don't install illuminate/routing v4.1.4 - Conclusion: don't install illuminate/routing v4.1.3 - Conclusion: don't install illuminate/routing v4.1.2 - Conclusion: don't install illuminate/routing v4.1.1 - Conclusion: don't install symfony/http-foundation v2.4.2 - Conclusion: don't install illuminate/routing v4.1.20 - Conclusion: don't install symfony/http-foundation v2.4.1 - Conclusion: don't install illuminate/routing v4.1.19 - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2]. - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - Conclusion: don't install symfony/http-foundation v2.4.0 - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/ framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,
  53. • Does the package name exist? • Is it available

    in the desired stability? • Are there conflicting constraints?
  54. { "require": { "silex/silex": "1.0.*", "illuminate/routing": "4.1.*" } }

  55. { "require": { "silex/silex": "~1.0", "illuminate/routing": "~4.1" } }

  56. If all else fails • composer self-update • rm -rf

    composer.lock vendor && composer install • rm -rf ~/.composer/cache
  57. Performance

  58. • Tagged releases, lock file • Run on host (not

    in VM) • Disable xdebug • Use HHVM?
  59. Deployment

  60. • do not run composer update as part of your

    deployment • composer is not a build tool • use make, phing, ant, grunt • composer is not a deploy tool • use fabric, capistrano, rsync
  61. Security Review

  62. • responsibility for what we ship • includes third party

    deps • we should be reading the source • understand your code base, fix bugs
  63. Conclusion

  64. • Improve the stability and performance of your own projects

    • Improve the stability and quality of the entire ecosystem at the same time • Demand stability from the maintainers of the packages you use
  65. • Semantic Versioning • Tilde Operator • Tag Releases

  66. Questions? @igorwhiletrue igor.io semver.org getcomposer.org