Slide 1

Slide 1 text

using correctly

Slide 2

Slide 2 text

@igorwhiletrue

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

that’s me!!!!!!

Slide 5

Slide 5 text

this thing

Slide 6

Slide 6 text

#composer on irc.freenode.net

Slide 7

Slide 7 text

Crash course

Slide 8

Slide 8 text

• dependency manager for PHP since 2011 • inspired by bundler and npm • manages dependencies per-project • what’s wrong with PEAR? everything.

Slide 9

Slide 9 text

# composer.json { "require": { "silex/silex": "~1.1" } }

Slide 10

Slide 10 text

$ composer install

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

• disclaimer • “best practices” • these are my opinions • composer is not perfect, many things can be improved, please make tickets • actually, send pull requests

Slide 13

Slide 13 text

It’s about the ecosystem

Slide 14

Slide 14 text

User designed by Wilson Joseph from the Noun Project maintainer consumer

Slide 15

Slide 15 text

Tag releases

Slide 16

Slide 16 text

• tracking a moving target is really hard • dev-master can change at any time • including public APIs • change cannot be avoided, but at least document it • bonus: downloading zips is faster and composer caches them

Slide 17

Slide 17 text

# CHANGELOG.md ! ### 1.0.1 (2014-01-09) ! * Bugfix: off-by-one error ! ### 1.0.0 (2014-01-08) ! * Initial release

Slide 18

Slide 18 text

$ git tag v1.0.1

Slide 19

Slide 19 text

Semantic versioning

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

• Major: API breaks • Minor: Features • Patch: Bugfixes

Slide 22

Slide 22 text

• meaningful versions that describe change • declare a public API and never break it • 0.x is free-for-all, so stabilise as soon as possible • there is no shame in v2.0.0

Slide 23

Slide 23 text

Tilde operator

Slide 24

Slide 24 text

~1.1

Slide 25

Slide 25 text

~1.1 >=1.1,<2.0

Slide 26

Slide 26 text

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0

Slide 27

Slide 27 text

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0

Slide 28

Slide 28 text

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0 selected range missing features BC break

Slide 29

Slide 29 text

• why not use * • it matches anything • you will get unexpected versions of packages and BC breaks • it makes composer slow (much larger search space) • also: branch-alias is good

Slide 30

Slide 30 text

Security

Slide 31

Slide 31 text

• root package (user) has full control • lol security fail • replace (fixed now) • custom installers • no signed packages • tls peer verification hard (wip)

Slide 32

Slide 32 text

Stability

Slide 33

Slide 33 text

"minimum-stability": "stable"

Slide 34

Slide 34 text

"require": { "silex/silex": "~1.2@dev" }

Slide 35

Slide 35 text

"require": { "foo/bar": "@dev" }

Slide 36

Slide 36 text

"require": { "foo/bar": "@dev" }

Slide 37

Slide 37 text

• specifying stability is annoying • => encourages tagging releases • get tagged versions • get cached zips

Slide 38

Slide 38 text

Commit lock file

Slide 39

Slide 39 text

• install from URLs without resolving deps • much faster • ensure which version gets installed • track changes between prod versions

Slide 40

Slide 40 text

Only depend on what you need

Slide 41

Slide 41 text

"require": { "symfony/symfony": "~2.4", "zendframework/zendframework": "~2.2", "laravel/framework": "~4.1", "yiisoft/yii": "dev-master" }

Slide 42

Slide 42 text

• infectious • large packages… slow • needless dependencies • security review becomes tedious

Slide 43

Slide 43 text

Do not mess with the vendor dir

Slide 44

Slide 44 text

How to mess with vendor • custom installers (plugins) • custom autoloader • scripts

Slide 45

Slide 45 text

Absolutely do not

Slide 46

Slide 46 text

Absolutely do not • publish bugfix forks on packagist • use existing vendor names • delete tags

Slide 47

Slide 47 text

Development workflow

Slide 48

Slide 48 text

• found a bug in a lib? fix it locally. • make changes in vendor • test in context of your project • cd into vendor/foo/bar • fork on github, make branch, add git remote, send pull request

Slide 49

Slide 49 text

Package Structure

Slide 50

Slide 50 text

• autoloading: psr-0 vs psr-4 vs files • value of coding standards? • where to put tests? • is composer global a good idea? • composer is not a build tool • functions in php • component libraries • npm instability

Slide 51

Slide 51 text

Debugging

Slide 52

Slide 52 text

$ composer install Loading composer repositories with package information Installing dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages. ! Problem 1 - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found. - Conclusion: don't install illuminate/routing v4.1.16 - Conclusion: don't install illuminate/routing v4.1.22 - Conclusion: don't install illuminate/routing v4.1.21 - Conclusion: don't install illuminate/routing v4.1.15 - Conclusion: don't install illuminate/routing v4.1.14 - Conclusion: don't install illuminate/routing v4.1.13 - Conclusion: don't install illuminate/routing v4.1.12 - Conclusion: don't install illuminate/routing v4.1.11 - Conclusion: don't install illuminate/routing v4.1.10 - Conclusion: don't install illuminate/routing v4.1.9 - Conclusion: don't install illuminate/routing v4.1.8 - Conclusion: don't install illuminate/routing v4.1.7 - Conclusion: don't install illuminate/routing v4.1.6 - Conclusion: don't install illuminate/routing v4.1.5 - Conclusion: don't install illuminate/routing v4.1.4 - Conclusion: don't install illuminate/routing v4.1.3 - Conclusion: don't install illuminate/routing v4.1.2 - Conclusion: don't install illuminate/routing v4.1.1 - Conclusion: don't install symfony/http-foundation v2.4.2 - Conclusion: don't install illuminate/routing v4.1.20 - Conclusion: don't install symfony/http-foundation v2.4.1 - Conclusion: don't install illuminate/routing v4.1.19 - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2]. - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - Conclusion: don't install symfony/http-foundation v2.4.0 - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/ framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,

Slide 53

Slide 53 text

• Does the package name exist? • Is it available in the desired stability? • Are there conflicting constraints?

Slide 54

Slide 54 text

{ "require": { "silex/silex": "1.0.*", "illuminate/routing": "4.1.*" } }

Slide 55

Slide 55 text

{ "require": { "silex/silex": "~1.0", "illuminate/routing": "~4.1" } }

Slide 56

Slide 56 text

If all else fails • composer self-update • rm -rf composer.lock vendor && composer install • rm -rf ~/.composer/cache

Slide 57

Slide 57 text

Performance

Slide 58

Slide 58 text

• Tagged releases, lock file • Run on host (not in VM) • Disable xdebug • Use HHVM?

Slide 59

Slide 59 text

Deployment

Slide 60

Slide 60 text

• do not run composer update as part of your deployment • composer is not a build tool • use make, phing, ant, grunt • composer is not a deploy tool • use fabric, capistrano, rsync

Slide 61

Slide 61 text

Security Review

Slide 62

Slide 62 text

• responsibility for what we ship • includes third party deps • we should be reading the source • understand your code base, fix bugs

Slide 63

Slide 63 text

Conclusion

Slide 64

Slide 64 text

• Improve the stability and performance of your own projects • Improve the stability and quality of the entire ecosystem at the same time • Demand stability from the maintainers of the packages you use

Slide 65

Slide 65 text

• Semantic Versioning • Tilde Operator • Tag Releases

Slide 66

Slide 66 text

Questions? @igorwhiletrue igor.io semver.org getcomposer.org