using correctly

@igorwhiletrue

No content

that’s me!!!!!!

this thing

#composer on irc.freenode.net

Crash course

• dependency manager for PHP since 2011 • inspired by bundler and npm • manages dependencies per-project • what’s wrong with PEAR? everything.

# composer.json { "require": { "silex/silex": "~1.1" } }

$ composer install

No content

• disclaimer • “best practices” • these are my opinions • composer is not perfect, many things can be improved, please make tickets • actually, send pull requests

It’s about the ecosystem

User designed by Wilson Joseph from the Noun Project maintainer consumer

Tag releases

• tracking a moving target is really hard • dev-master can change at any time • including public APIs • change cannot be avoided, but at least document it • bonus: downloading zips is faster and composer caches them

# CHANGELOG.md ! ### 1.0.1 (2014-01-09) ! * Bugfix: off-by-one error ! ### 1.0.0 (2014-01-08) ! * Initial release

$ git tag v1.0.1

Semantic versioning

No content

• Major: API breaks • Minor: Features • Patch: Bugfixes

• meaningful versions that describe change • declare a public API and never break it • 0.x is free-for-all, so stabilise as soon as possible • there is no shame in v2.0.0

Tilde operator

~1.1

~1.1 >=1.1,<2.0

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0

1.0.0 1.0.1 1.0.2 1.0.3 1.1.0 1.1.1 1.1.2 1.1.3 1.1.4 1.2.0 1.2.1 2.0.0 selected range missing features BC break

• why not use * • it matches anything • you will get unexpected versions of packages and BC breaks • it makes composer slow (much larger search space) • also: branch-alias is good

Security

• root package (user) has full control • lol security fail • replace (fixed now) • custom installers • no signed packages • tls peer verification hard (wip)

Stability

"minimum-stability": "stable"

"require": { "silex/silex": "~1.2@dev" }

"require": { "foo/bar": "@dev" }

"require": { "foo/bar": "@dev" }

• specifying stability is annoying • => encourages tagging releases • get tagged versions • get cached zips

Commit lock file

• install from URLs without resolving deps • much faster • ensure which version gets installed • track changes between prod versions

Only depend on what you need

"require": { "symfony/symfony": "~2.4", "zendframework/zendframework": "~2.2", "laravel/framework": "~4.1", "yiisoft/yii": "dev-master" }

• infectious • large packages… slow • needless dependencies • security review becomes tedious

Do not mess with the vendor dir

How to mess with vendor • custom installers (plugins) • custom autoloader • scripts

Absolutely do not

Absolutely do not • publish bugfix forks on packagist • use existing vendor names • delete tags

Development workflow

• found a bug in a lib? fix it locally. • make changes in vendor • test in context of your project • cd into vendor/foo/bar • fork on github, make branch, add git remote, send pull request

Package Structure

• autoloading: psr-0 vs psr-4 vs files • value of coding standards? • where to put tests? • is composer global a good idea? • composer is not a build tool • functions in php • component libraries • npm instability

Debugging

$ composer install Loading composer repositories with package information Installing dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages. ! Problem 1 - laravel/framework v4.1.9 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.8 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.7 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.6 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.5 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.4 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.3 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.22 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.21 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.20 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.2 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.19 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.18 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.17 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.16 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.15 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.14 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.13 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.12 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.11 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.10 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.1 requires classpreloader/classpreloader 1.0.* -> no matching package found. - laravel/framework v4.1.0 requires classpreloader/classpreloader 1.0.* -> no matching package found. - Conclusion: don't install illuminate/routing v4.1.16 - Conclusion: don't install illuminate/routing v4.1.22 - Conclusion: don't install illuminate/routing v4.1.21 - Conclusion: don't install illuminate/routing v4.1.15 - Conclusion: don't install illuminate/routing v4.1.14 - Conclusion: don't install illuminate/routing v4.1.13 - Conclusion: don't install illuminate/routing v4.1.12 - Conclusion: don't install illuminate/routing v4.1.11 - Conclusion: don't install illuminate/routing v4.1.10 - Conclusion: don't install illuminate/routing v4.1.9 - Conclusion: don't install illuminate/routing v4.1.8 - Conclusion: don't install illuminate/routing v4.1.7 - Conclusion: don't install illuminate/routing v4.1.6 - Conclusion: don't install illuminate/routing v4.1.5 - Conclusion: don't install illuminate/routing v4.1.4 - Conclusion: don't install illuminate/routing v4.1.3 - Conclusion: don't install illuminate/routing v4.1.2 - Conclusion: don't install illuminate/routing v4.1.1 - Conclusion: don't install symfony/http-foundation v2.4.2 - Conclusion: don't install illuminate/routing v4.1.20 - Conclusion: don't install symfony/http-foundation v2.4.1 - Conclusion: don't install illuminate/routing v4.1.19 - Installation request for silex/silex 1.0.* -> satisfiable by silex/silex[v1.0.0, v1.0.1, v1.0.2]. - illuminate/routing v4.1.0 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.17 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - illuminate/routing v4.1.18 requires symfony/http-foundation 2.4.* -> satisfiable by symfony/http-foundation[v2.4.0, v2.4.1, v2.4.2]. - Conclusion: don't install symfony/http-foundation v2.4.0 - Installation request for illuminate/routing 4.1.* -> satisfiable by illuminate/routing[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22, v4.1.3, v4.1.4, v4.1.5, v4.1.6, v4.1.7, v4.1.8, v4.1.9], laravel/ framework[v4.1.0, v4.1.1, v4.1.10, v4.1.11, v4.1.12, v4.1.13, v4.1.14, v4.1.15, v4.1.16, v4.1.17, v4.1.18, v4.1.19, v4.1.2, v4.1.20, v4.1.21, v4.1.22,

• Does the package name exist? • Is it available in the desired stability? • Are there conflicting constraints?

{ "require": { "silex/silex": "1.0.*", "illuminate/routing": "4.1.*" } }

{ "require": { "silex/silex": "~1.0", "illuminate/routing": "~4.1" } }

If all else fails • composer self-update • rm -rf composer.lock vendor && composer install • rm -rf ~/.composer/cache

Performance

• Tagged releases, lock file • Run on host (not in VM) • Disable xdebug • Use HHVM?

Deployment

• do not run composer update as part of your deployment • composer is not a build tool • use make, phing, ant, grunt • composer is not a deploy tool • use fabric, capistrano, rsync

Security Review

• responsibility for what we ship • includes third party deps • we should be reading the source • understand your code base, fix bugs

Conclusion

• Improve the stability and performance of your own projects • Improve the stability and quality of the entire ecosystem at the same time • Demand stability from the maintainers of the packages you use

• Semantic Versioning • Tilde Operator • Tag Releases

Questions? @igorwhiletrue igor.io semver.org getcomposer.org