Composer: Stability and Semantic Versioning Demystified (Madison PHP)

Composer: Stability and
Semantic Versioning Demystiﬁed
Madison PHP
November 16th, 2013

View Slide

@beausimensen
simensen on Freenode
#composer
#madisonphp

View Slide

View Slide

Dependency Manager
for PHP

View Slide

https://packagist.org

View Slide

Over 19,000 Packages

View Slide

composer.json

View Slide

{
“name”: “acme/my-project”,
“description”: “Acme’s My Project”,
“license”: “MIT”,
“require”: {
“silex/silex”: “1.1.*”
},
“autoload”: {
“psr-0”: {
“Acme\\MyProject\\”: “src”
}
}
}

View Slide

$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev)
- Installing psr/log (1.0.0)
- Installing symfony/routing (v2.3.7)
- Installing symfony/debug (v2.3.7)
- Installing symfony/http-foundation (v2.3.7)
- Installing symfony/event-dispatcher (v2.3.7)
- Installing symfony/http-kernel (v2.3.7)
- Installing pimple/pimple (v1.1.0)
- Installing silex/silex (v1.1.2)
Writing lock file
Generating autoload files
$

View Slide

Semantic Versioning
http://semver.org/

View Slide

MAJOR.MINOR.PATCH

View Slide

MAJOR.MINOR.PATCH
Which number do you increment and why?

View Slide

MAJOR.MINOR.PATCH
When you make API incompatible changes

View Slide

MAJOR.MINOR.PATCH
When you add backwards-compatible functionality

View Slide

MAJOR.MINOR.PATCH
When you make backwards-compatible bug ﬁxes

View Slide

Pre-Release Identiﬁers
(Composer “Stability”)
•1.0.0-alpha
•1.0.0-beta.1
•1.0.0-RC2
•1.0.0 (stable)

View Slide

Version Constraints

View Slide

Exact Versions
1.0.2

View Slide

Ranges
>=1.0,<2.0

View Slide

Wildcards
1.0.*

View Slide

Next Signiﬁcant Release
Tilde Operator

View Slide

~1.2
>=1.2,<2.0

View Slide

~1.2.3
>=1.2.3,<1.3

View Slide

Let’s You Know What
You Are Getting Into

View Slide

Safe
1.3.*
Only get bug ﬁxes.

View Slide

Reasonably Safe
1.*
Get bug ﬁxes and new features.

View Slide

Crazy Sauce
*
Composer allows this, but don’t. Just don’t.

View Slide

Other Version Schemes
Can Be Used
But don’t expect Composer to read your mind and do
anything smart with them.

View Slide

Version Constraint
Considerations

View Slide

If the dependency speciﬁcations are too tight,
you are in danger of version lock (the inability to
upgrade a package without having to release new
versions of every dependent package).
— Semantic Versioning
http://semver.org/

View Slide

If dependencies are speciﬁed too loosely, you will
inevitably be bitten by version promiscuity
(assuming compatibility with more future
versions than is reasonable).
— Semantic Versioning
http://semver.org/

View Slide

Deep Dependency
Resolution

View Slide

{
“name”: “silex/silex”,
“require”: {
“pimple/pimple”: “1.*”
}
}

View Slide

{
“require”: {
}
}
{
“name”: “dflydev/doctrine-orm-service-provider”,
“require”: {
“pimple/pimple”: “1.*”,
“doctrine/orm”: “~2.3”
}
}

View Slide

{
“require”: {
“dflydev/doctrine-orm-service-provider”: “1.0.*”,
“silex/silex”: “1.1.*”,
“pimple/pimple”: “1.0.*”,
“doctrine/orm”: “2.4.*”
}
}
{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “1.*”,
}
}

View Slide

Conﬂicts

View Slide

{
"require": {
"silex/silex": "1.1.*",
"pimple/pimple": "2.0.*@dev"
}
}

View Slide

$ composer install
Your requirements could not be resolved to an installable set of packages.
Problem 1
- silex/silex v1.1.0 requires pimple/pimple 1.*
-> satisfiable by pimple/pimple[1.0.0, 1.1.x-dev, v1.0.1, v1.0.2, v1.1.0].
- silex/silex v1.1.1 requires pimple/pimple 1.*
- silex/silex v1.1.2 requires pimple/pimple ~1.0
- Can only install one of: pimple/pimple[2.0.x-dev, 1.0.0].
- Can only install one of: pimple/pimple[2.0.x-dev, 1.1.x-dev].
- Can only install one of: pimple/pimple[v1.0.1, 2.0.x-dev].
- Installation request for pimple/pimple 2.0.*@dev
-> satisfiable by pimple/pimple[2.0.x-dev].
- Installation request for silex/silex 1.1.*
-> satisfiable by silex/silex[v1.1.0, v1.1.1, v1.1.2].
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to your
minimum-stability setting.

View Slide

Where Do Versions
Come From?

View Slide

Tags and Branches
git, mercurial, subversion

View Slide

Tags

View Slide

Tags
If it can be parsed for semantic versioning, awesome.

View Slide

Tags
If it cannot be parsed for semantic versioning, it is
treated as if it were an “exact” version.

View Slide

v2.0.1
2.0.1
(2.0.*)

View Slide

2.0.1
2.0.1
(2.0.*)

View Slide

2.0.1-RC1
2.0.1-RC1
(2.0.*@RC)

View Slide

2.0.1g
2.0.1g
(2.0.1g)

View Slide

Branches

View Slide

Branches
Composer automatically detects numbered branches as
development versions.
Branch named 2.0 is treated as 2.0.x-dev

View Slide

Branches
Composer can alias a named branch to a speciﬁc
development version.
Branch named master is treated as 2.0.*@dev

View Slide

master
dev-master

View Slide

testing
dev-testing

View Slide

2.0
2.0.x-dev
(2.0.*@dev)

View Slide

2.0-experimental
dev-2.0-experimental
(2.0.*@dev won’t work!)

View Slide

Branch Aliases

View Slide

{
“extra”: {
“branch-alias”: {
“dev-master”: “2.0.x-dev”
}
}
}

View Slide

When starting a new library that is to be
distributed via Packagist / Composer, be SURE to
set up your dev-master branch alias.
— Don Gilbert
https://twitter.com/dilbert4life/status/380137097614458881

View Slide

How Do You Target
Branches and Non-
Stable Versions?

View Slide

{
“require”: {
“symfony/yaml”: “3.5-cat”,
“silex/silex”: “1.1@dev”,
“pimple/pimple”: “dev-master”
}
}

View Slide

Stability

View Slide

Stability
Minimum stability controlled by the root package.
(Minimum stability defaults to “stable”)

View Slide

Stability
{
“minimum-stability”: “alpha”
}

View Slide

Stability
Stability can be controlled on a package-by-package
basis by the root package.

View Slide

Stability
{
“require”: {
“silex/silex”: “~1.1@dev”,
“symfony/http-foundation”: “@beta”
},
“minimum-stability”: “alpha”
}

View Slide

Stability
Composer solver errors are fun.

View Slide

{
"require": {
"pimple/pimple": "2.0.*"
}
}
Stability

View Slide

$ composer install
Your requirements could not be resolved to an installable set of packages.
Problem 1
- The requested package pimple/pimple 2.0.* could not be found.
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to
your minimum-stability setting
Stability

View Slide

Stability
Even if your package requires something @dev, users of
your package won’t get it unless they explicitly ask for it.

View Slide

{
“require”: {
“pimple/pimple”: “1.*@dev”
}
}
R

View Slide

R
{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “1.*@beta”,
}
}

View Slide

{
“require”: {
“dflydev/doctrine-orm-service-provider”: “1.0.*”,
“pimple/pimple”: “1.0.*”
}
}
{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “1.*@beta”,
}
}
R

View Slide

Questions?
https://joind.in/10064
@beausimensen

View Slide

Composer: Stability and Semantic Versioning Demystified (Madison PHP)

Composer: Stability and Semantic Versioning Demystified (Madison PHP)

Beau Simensen

More Decks by Beau Simensen

Other Decks in Programming

Featured

Transcript