Using composer correctly (confoo)

Transcript

1. using correctly

2. @igorwhiletrue

3. None

4. that’s me!!!!!!

5. this thing

6. #composer on irc.freenode.net

7. Crash course

8. • dependency manager for PHP since 2011 • inspired by

   bundler and npm • manages dependencies per-project • what’s wrong with PEAR? everything.

9. # composer.json { "require": { "silex/silex": "~1.1" } }

10. $ composer install

11. None

12. • disclaimer • “best practices” • these are my opinions

    • composer is not perfect, many things can be improved, please make tickets • actually, send pull requests

13. It’s about the ecosystem

14. User designed by Wilson Joseph from the Noun Project maintainer

    consumer

15. Tag releases

16. • tracking a moving target is really hard • dev-master

    can change at any time • including public APIs • change cannot be avoided, but at least document it • bonus: downloading zips is faster and composer caches them

17. # CHANGELOG.md ! ### 1.0.1 (2014-01-09) ! * Bugfix: off-by-one

    error ! ### 1.0.0 (2014-01-08) ! * Initial release

18. $ git tag v1.0.1

19. Semantic versioning

20. None

21. • Major: API breaks • Minor: Features • Patch: Bugfixes

22. • meaningful versions that describe change • declare a public

    API and never break it • 0.x is free-for-all, so stabilise as soon as possible • there is no shame in v2.0.0

23. Tilde operator

24. ~1.1

25. ~1.1 >=1.1,<2.0

26. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0

27. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0

28. 1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0

    1.2.1 2.0.0 selected range missing features BC break

29. • why not use * • it matches anything •

    you will get unexpected versions of packages and BC breaks • it makes composer slow (much larger search space) • also: branch-alias is good

30. Security

31. • root package (user) has full control • lol security

    fail • replace (fixed now) • custom installers • no signed packages • tls peer verification hard (wip)

32. Stability

33. "minimum-stability": "stable"

34. "require": { "silex/silex": "~1.2@dev" }

35. "require": { "foo/bar": "@dev" }

36. "require": { "foo/bar": "@dev" }

37. • specifying stability is annoying • => encourages tagging releases

    • get tagged versions • get cached zips

38. Commit lock file

39. • install from URLs without resolving deps • much faster

    • ensure which version gets installed • track changes between prod versions

40. Only depend on what you need

41. "require": { "symfony/symfony": "~2.4", "zendframework/zendframework": "~2.2", "laravel/framework": "~4.1", "yiisoft/yii": "dev-master"

    }

42. • infectious • large packages… slow • needless dependencies •

    security review becomes tedious

43. Do not mess with the vendor dir

44. How to mess with vendor • custom installers (plugins) •

    custom autoloader • scripts

45. Absolutely do not

46. Absolutely do not • publish bugfix forks on packagist •

    use existing vendor names • delete tags

47. Development workflow

48. • found a bug in a lib? fix it locally.

    • make changes in vendor • test in context of your project • cd into vendor/foo/bar • fork on github, make branch, add git remote, send pull request

49. Package Structure

50. • autoloading: psr-0 vs psr-4 vs files • value of

    coding standards? • where to put tests? • is composer global a good idea? • composer is not a build tool • functions in php • component libraries • npm instability

51. Debugging

52. $ composer install Loading composer repositories with package information Installing

    dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages. ! Problem 1 - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found. - Conclusion: don't install illuminate/routing v4.1.16 - Conclusion: don't install illuminate/routing v4.1.22 - Conclusion: don't install illuminate/routing v4.1.21 - Conclusion: don't install illuminate/routing v4.1.15 - Conclusion: don't install illuminate/routing v4.1.14 - Conclusion: don't install illuminate/routing v4.1.13 - Conclusion: don't install illuminate/routing v4.1.12 - Conclusion: don't install illuminate/routing v4.1.11 - Conclusion: don't install illuminate/routing v4.1.10 - Conclusion: don't install illuminate/routing v4.1.9 - Conclusion: don't install illuminate/routing v4.1.8 - Conclusion: don't install illuminate/routing v4.1.7 - Conclusion: don't install illuminate/routing v4.1.6 - Conclusion: don't install illuminate/routing v4.1.5 - Conclusion: don't install illuminate/routing v4.1.4 - Conclusion: don't install illuminate/routing v4.1.3 - Conclusion: don't install illuminate/routing v4.1.2 - Conclusion: don't install illuminate/routing v4.1.1 - Conclusion: don't install symfony/http-foundation v2.4.2 - Conclusion: don't install illuminate/routing v4.1.20 - Conclusion: don't install symfony/http-foundation v2.4.1 - Conclusion: don't install illuminate/routing v4.1.19 - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2]. - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - Conclusion: don't install symfony/http-foundation v2.4.0 - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/ framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,

53. • Does the package name exist? • Is it available

    in the desired stability? • Are there conflicting constraints?

54. { "require": { "silex/silex": "1.0.*", "illuminate/routing": "4.1.*" } }

55. { "require": { "silex/silex": "~1.0", "illuminate/routing": "~4.1" } }

56. If all else fails • composer self-update • rm -rf

    composer.lock vendor && composer install • rm -rf ~/.composer/cache

57. Performance

58. • Tagged releases, lock file • Run on host (not

    in VM) • Disable xdebug • Use HHVM?

59. Deployment

60. • do not run composer update as part of your

    deployment • composer is not a build tool • use make, phing, ant, grunt • composer is not a deploy tool • use fabric, capistrano, rsync

61. Security Review

62. • responsibility for what we ship • includes third party

    deps • we should be reading the source • understand your code base, fix bugs

63. Conclusion

64. • Improve the stability and performance of your own projects

    • Improve the stability and quality of the entire ecosystem at the same time • Demand stability from the maintainers of the packages you use

65. • Semantic Versioning • Tilde Operator • Tag Releases

66. Questions? @igorwhiletrue igor.io semver.org getcomposer.org