Managing Dependencies with Composer (php[tek] 2015)

Managing Dependencies
with Composer
php[tek]
May 19th, 2015
@beausimensen
beau.io joind.in/13769

View Slide

View Slide

Tutorial

View Slide

Wi-Fi & PHP>=5.3.2
required if you want to play

View Slide

$ composer show [pkg]
shows information about a package

View Slide

$ composer show silex/silex
shows information about Silex

View Slide

Dependency
Management

View Slide

composer.json

View Slide

{
“name”: “acme/my-project”,
“description”: “Acme’s My Project”,
“license”: “MIT”,
“require”: {
“silex/silex”: “1.1.*”
},
“autoload”: {
“psr-4”: {
“Acme\\MyProject\\”: “src”
}
}
}

View Slide

vendor-name/project-name
A package's name cannot change and must be all lowercase

View Slide

http://www.spdx.org/licenses/
Publishing to Packagist requires you choose a license!

View Slide

{
“require”: {
},
“autoload”: {
“psr-4”: {
}
}
}

View Slide

$ composer install
Loading composer repositories with package information
Installing dependencies (including require-dev)
- Installing psr/log (1.0.0)
- Installing symfony/routing (v2.3.7)
- Installing symfony/debug (v2.3.7)
- Installing symfony/http-foundation (v2.3.7)
- Installing symfony/event-dispatcher (v2.3.7)
- Installing symfony/http-kernel (v2.3.7)
- Installing pimple/pimple (v1.1.0)
- Installing silex/silex (v1.1.2)
Writing lock file
Generating autoload files
$

View Slide

The packages are installed into a
directory named vendor

View Slide

vendor =

View Slide

require “vendor/autoload.php”;

View Slide

Basic Usage

View Slide

Install Composer
getcomposer.org/download

View Slide

$ curl -sS https://getcomposer.org/installer | php
$ php composer.phar --version
WARNING
Security people think this is bad (but it is all the rage)

View Slide

$ chmod 755 composer.phar
$ mv composer.phar ~/bin/composer
$ composer --version

View Slide

composer.json and composer.lock

View Slide

composer.json describes a
package and its dependencies

View Slide

{
“require”: {
},
“autoload”: {
“psr-4”: {
}
}
}

View Slide

composer.lock describes
exactly what should be installed

View Slide

$ composer install
- Installing psr/log (1.0.0)
- Installing symfony/routing (v2.3.7)
- Installing symfony/debug (v2.3.7)
- Installing symfony/http-foundation (v2.3.7)
- Installing symfony/event-dispatcher (v2.3.7)
- Installing symfony/http-kernel (v2.3.7)
- Installing pimple/pimple (v1.1.0)
- Installing silex/silex (v1.1.2)
Writing lock file
Generating autoload files
$

View Slide

Check your composer.lock into
your repository

View Slide

Common Commands

View Slide

$ composer install
If composer.lock exists, install exactly what is in the lock ﬁle.
!
Otherwise, read composer.json to ﬁnd out what should be installed,
install the dependencies, and write out composer.lock.

View Slide

View Slide

$ composer update
Installs dependencies from composer.json
and creates or updates composer.lock.

View Slide

View Slide

$ composer require [pkg]
Add a package to composer.json.
!
The [pkg] is the name with a version constraint.
!
!
foo/bar or foo/bar:1.0.0 or foo/bar=1.0.0 or "foo/bar 1.0.0"

View Slide

$ composer require [pkg]
Recommend way to add Composer packages to your project!
!
composer require foo/bar

View Slide

View Slide

$ composer require --dev [pkg]
Add a package as a dev requirement
!
composer require --dev foo/bar

View Slide

View Slide

$ composer validate
Check composer.json for common errors

View Slide

View Slide

$ composer diag
Check environment and composer.json for common errors

View Slide

View Slide

$ composer show [pkg]
shows information about a package

View Slide

View Slide

$ composer show --self
shows information about THIS package

View Slide

View Slide

$ composer clearcache
Because sometimes things get stale.

View Slide

Vendor Tour

View Slide

vendor =

View Slide

View Slide

{
“require”: {
},
“autoload”: {
“psr-4”: {
}
}
}

View Slide

Autoloading

View Slide

# Acme\User is not defined
!
$user = new Acme\User();
!
# Acme\User is defined

View Slide

Magic!
since 5

View Slide

function ($class) {
if ($class === "Acme\\Account\\User") {
// do something to cause this class
// to become defined
require __DIR__."/src/user.inc";
}
}

View Slide

Composer is a conﬁgurable
autoloader

View Slide

Each Composer package gets
to conﬁgure its own rules

View Slide

psr-0

View Slide

PHP-FIG
PHP Framework Interoperability Group
php-ﬁg.com

View Slide

Namespaces are directories

View Slide

Classes are ﬁles with .php sufﬁx

View Slide

Acme\Account\User

View Slide

Acme/Account/User.php

View Slide

PSR-0 also supports legacy
PEAR style naming conventions

View Slide

Acme\Account\User
!
Acme_Account_User

View Slide

!

View Slide

{
"autoload": {
"psr-0": {
"Acme\\Account\\": "src"
}
}
}
!
new Acme\Account\User();
!
# src/Acme/Account/User.php

View Slide

{
"autoload": {
"psr-0": {
"Acme_Account_": "src"
}
}
}
!
new Acme_Account_User();
!

View Slide

psr-4

View Slide

PHP-FIG
PHP Framework Interoperability Group
php-ﬁg.com

View Slide

Composer currently recommends
new projects use PSR-4

View Slide

Very similar to PSR-0

View Slide

Only supports namespaces
(this means no PEAR style naming)

View Slide

Requires a namespace preﬁx
and base directory for mapping

View Slide

Acme\Account\User (class)
!
Acme\Account (namespace prefix)
!
src (base directory)
!
src/User.php (resulting file path)

View Slide

{
"autoload": {
"psr-4": {
}
}
}
!
!
# src/User.php

View Slide

Migrating from PSR-0 to PSR-4

View Slide

{
"autoload": {
"psr-0": {
}
}
}
!
!

View Slide

{
"autoload": {
"psr-4": {
"Acme\\Account\\": "src/Acme/Account"
}
}
}
!
!

View Slide

files

View Slide

Explicitly include speciﬁc ﬁles

View Slide

{
“autoload”: {
“files”: [
“src/foo.class.php”,
“src/bar.class.php”
]
}
}

View Slide

{
“autoload”: {
“files”: [“src/functions.php”]
}
}

View Slide

{
“autoload”: {
“files”: [“src/autoload.php”]
}
}

View Slide

The files autoloader is really
an alwaysloader

View Slide

classmap

View Slide

A key => value map of class
names to ﬁles on disk

View Slide

{
“autoload”: {
“classmap”: [
“src/includes/”,
“resources/config.php”
]
}
}

View Slide

It will look inside .php and .inc
ﬁles to ﬁnd classes

View Slide

The classmap is generated anytime
Composer dumps its autoloader

View Slide

Extremely fast and powerful but
not very developer friendly

View Slide

{
“require”: {
},
“autoload”: {
“psr-4”: {
}
}
}

View Slide

Semantic Versioning

View Slide

semver.org

View Slide

MAJOR.MINOR.PATCH
Which number do you increment and why?

View Slide

MAJOR.MINOR.PATCH
When you break backwards compatibility

View Slide

MAJOR.MINOR.PATCH
When you add backwards compatible features

View Slide

MAJOR.MINOR.PATCH
When you make backwards compatible bug ﬁxes

View Slide

Pre-Release Identiﬁers

View Slide

1.0.0-alpha
1.0.0-beta.2
1.0.0-RC3

View Slide

Stability
Pre-Release Identiﬁers

View Slide

Version Constraints

View Slide

Exact Version
1.0.2

View Slide

Ranges
>=1.0,<2.0

View Slide

Wildcards
1.0.*

View Slide

Next Signiﬁcant Release
Tilde and Caret Operators

View Slide

~1.2
Minimum allowed version and only
the last number listed can increase.

View Slide

~1.2
>=1.2,<2

View Slide

~1.2.3
>=1.2.3,<1.3

View Slide

^1.2
Minimum allowed version and up to
next major release.

View Slide

^1.2
>=1.2,<2

View Slide

^1.2.3
>=1.2.3,<2

View Slide

^0.2
Safer handling for pre-1.0 versions.

View Slide

^0.2
>=0.2,<0.3

View Slide

^0.2.3
>=0.2.3,<0.3

View Slide

Semantic Versioning lets
you know what you are
getting into

View Slide

Safe
1.3.*
Only get bug ﬁxes

View Slide

Reasonably Safe
1.*
Get bug ﬁxes and new features

View Slide

Nope.
*
Composer allows this, but don't.
Just don't.

View Slide

Version Constraint Considerations

View Slide

–Semantic Versioning
“If the dependency speciﬁcations are too tight, you are in danger
of version lock (the inability to upgrade a package without having
to release new versions of every dependent package).”

View Slide

Libraries should generally have
more permissive constraints

View Slide

–Semantic Versioning
“If dependencies are speciﬁed too loosely, you will inevitably
be bitten by version promiscuity (assuming compatibility with
more future versions than is reasonable).”

View Slide

End projects may want to have
more restrictive constraints

View Slide

Deep Dependency Resolution

View Slide

{
“name”: “silex/silex”,
“require”: {
“pimple/pimple”: “1.*”
}
}
1.1.0
1.1.0
1.1.1
1.0.2
1.0.1
1.0.0
2.0.0
Silex
Pimple
0.0.1

View Slide

{
“require”: {
}
}
{
“name”: “dflydev/doctrine-orm-service-provider”,
“require”: {
“pimple/pimple”: “~1.1”,
“doctrine/orm”: “~2.3”
}
}
1.1.0
1.1.0
1.1.1
1.0.2
1.0.1
1.0.0
2.0.0
Silex
Pimple
0.0.1
2.3.2
2.4.0
2.3.1
2.3.0
2.2.1
2.5.0
ORM
2.2.0
1.0.0
dﬂydev

View Slide

{
“name”: “acme/myapp”,
“require”: {
“dflydev/doctrine-orm-service-provider”: “1.0.*”,
“silex/silex”: “1.1.*”,
!
“pimple/pimple”: “~1.1.1”,
“doctrine/orm”: “2.4.*”
}
}
{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “~1.1”,
}
}
1.1.0
1.1.0
1.1.1
1.0.2
1.0.1
1.0.0
2.0.0
Silex
Pimple
0.0.1
2.3.2
2.4.0
2.3.1
2.3.0
2.2.1
2.5.0
ORM
2.2.0
1.0.0
dﬂydev
1.0.0
myapp

View Slide

Conﬂicts

View Slide

{
"require": {
"silex/silex": "1.1.*",
"pimple/pimple": "2.0.*@dev"
}
}

View Slide

$ composer install
Your requirements could not be resolved to an installable set of packages.
!
Problem 1
- silex/silex v1.1.0 requires pimple/pimple 1.*
-> satisfiable by pimple/pimple[1.0.0, 1.1.x-dev, v1.0.1, v1.0.2, v1.1.0].
- silex/silex v1.1.1 requires pimple/pimple 1.*
- silex/silex v1.1.2 requires pimple/pimple ~1.0
- Can only install one of: pimple/pimple[2.0.x-dev, 1.0.0].
- Can only install one of: pimple/pimple[2.0.x-dev, 1.1.x-dev].
- Can only install one of: pimple/pimple[v1.0.1, 2.0.x-dev].
- Installation request for pimple/pimple 2.0.*@dev
-> satisfiable by pimple/pimple[2.0.x-dev].
- Installation request for silex/silex 1.1.*
-> satisfiable by silex/silex[v1.1.0, v1.1.1, v1.1.2].
!
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to your
minimum-stability setting.

View Slide

Versions from Tags

View Slide

2.0.1
2.0.1
(2.0.*)

View Slide

v2.0.1
2.0.1
(2.0.*)

View Slide

2.0.1-RC1
2.0.1-RC1
(2.0.*@RC)

View Slide

3.4-cuddly-cat
3.4-cuddly-cat
(3.4-cuddly-cat)

View Slide

2.0.1g
2.0.1g
(2.0.1g)

View Slide

Versions from Branches

View Slide

Branches are considered
@dev stability

View Slide

Numbered branches are easy

View Slide

2.0
2.0.x-dev
(2.0.*@dev)

View Slide

Named branches default to their
name with a dev- preﬁx

View Slide

master
dev-master
(dev-master)

View Slide

2.0-experimental
dev-2.0-experimental
(2.0.*@dev won't work!)

View Slide

Named branches can be aliased
to be semver friendly

View Slide

{
“extra”: {
“branch-alias”: {
“dev-master”: “2.0.x-dev”
}
}
}

View Slide

master
dev-master / 2.0.x-dev
(dev-master or 2.0.*@dev)

View Slide

Create a branch alias as soon as
you start a new Composer
package

View Slide

(future you and your users will thank you)

View Slide

Requiring non-stable versions

View Slide

{
“require”: {
“symfony/yaml”: “3.5-cat”,
“silex/silex”: “1.1@dev”,
“pimple/pimple”: “dev-master”,
“sculpin/core”: “2.0.*@beta”
}
}

View Slide

requiring dev-master
considered harmful

View Slide

Pretend dev-master doesn't exist

View Slide

Send pull requests when you ﬁnd
a package that offers dev-master
without a branch alias

View Slide

{
“name”: “acme/myapp”
}

View Slide

{
“require”: {
“naughty/id-generator”: “1.0.*”
}
}
!
!
{
“name”: “naughty/id-generator”,
“require”: {
“ircmaxell/random-lib”: “dev-master”
}
}

View Slide

{
“require”: {
“naughty/id-generator”: “1.0.*”,
!
“ircmaxell/random-lib”: “@dev”
}
}
!
!
{
“require”: {
}
}

View Slide

{
“require”: {
!
}
}
!
!
{
“require”: {
}
}

View Slide

{
“require”: {
"dflydev/hawk": "1.0.*",
!
"ircmaxell/random-lib": "dev-master"
}
}
!
!
{
“require”: {
}
}
!
!
{
“name”: “dflydev/hawk”,
“require”: {
“ircmaxell/random-lib”: “~1.0@dev”
}
}

View Slide

{
“require”: {
“naughty/id-generator”: "1.0.*”,
!
"ircmaxell/random-lib": "dev-master"
}
}
!
!
{
“require”: {
}
}
!
!
{
“require”: {
}
}
1.0.x-dev != dev-master

View Slide

{
“require”: {
!
"ircmaxell/random-lib": "@dev"
}
}
!
!
{
“require”: {
}
}
!
!
{
“require”: {
}
}
Time to send a
pull request!

View Slide

dev-master is viral

View Slide

Once people start using dev-master
for your package it can be hard to
break them of that habit

View Slide

Send pull requests when you ﬁnd a
package that requires dev-master
when a branch alias exists

View Slide

–Michael Dowling
“I'm working on a new version of Guzzle. If you're using
composer: stop using dev-master. Use a tagged
release. Especially in production.”
https://twitter.com/mtdowling/status/440901351657054208

View Slide

Stability

View Slide

Root package

View Slide

The root package is the package
deﬁned in the working
composer.json

View Slide

A package is the root package
while it is being developed

View Slide

The root package gets to control
all aspects of stability

View Slide

Minimum stability

View Slide

Controlled by the root package

View Slide

Defaults to stable

View Slide

{
“minimum-stability”: “alpha”
}

View Slide

Applied to all packages for
which the root package doesn't
specify a stability

View Slide

Package-by-package stability

View Slide

Stability can be controlled on a
package-by-package basis

View Slide

{
“require”: {
“silex/silex”: “~1.1@dev”,
“symfony/http-foundation”: “@beta”
},
“minimum-stability”: “alpha”
}

View Slide

Stability solver errors are fun

View Slide

{
"require": {
"sculpin/sculpin": "2.0.*"
}
}

View Slide

$ composer install
Your requirements could not be resolved to an installable set of
packages.
!
Problem 1
- The requested package sculpin/sculpin 2.0.* could not be found.
!
Potential causes:
- A typo in the package name
- The package is not available in a stable-enough version according to
your minimum-stability setting

View Slide

{
"require": {
"sculpin/sculpin": "2.0.*@dev"
}
}

View Slide

{
"require": {
"sculpin/sculpin": "2.0.*"
},
"minimum-stability": "dev"
}

View Slide

Root package stability implications

View Slide

Even if your package requires a
dependency @dev, users of your
package won't get it unless they
explicitly ask for it.

View Slide

{
“require”: {
“pimple/pimple”: “1.*@dev”
}
}
Root Package

View Slide

{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “1.*@beta”,
}
}
Root Package

View Slide

{
“require”: {
“dflydev/doctrine-orm-service-provider”: “1.0.*”,
!
“pimple/pimple”: “1.*@alpha”
}
}
{
“require”: {
}
}
{
“require”: {
“pimple/pimple”: “1.*@beta”,
}
}
Root Package

View Slide

Dev Dependencies

View Slide

dev dependencies can only be
installed for the root package

View Slide

Publishing and
Discovery

View Slide

packagist.org

View Slide

Over 59,200 packages

View Slide

Publishing is as easy as pasting
your repository's GitHub URL

View Slide

View Slide

Check Packagist before you
start a new library from scratch

View Slide

Self Hosted Composer
Repositories

View Slide

Install Packagist Locally

View Slide

Satis

View Slide

Toran Proxy
https://toranproxy.com/

View Slide

[this page intentionally left blank]

View Slide

Choose an autoloading strategy

View Slide

Choose PSR-4 for new projects

View Slide

Semantic Versioning lets you
know what you're getting into

View Slide

Libraries should generally have
more permissive constraints

View Slide

End projects may want to have
more restrictive constraints

View Slide

Create branch aliases

View Slide

dev-master considered harmful

View Slide

Use Packagist

View Slide

#composer
look for simensen and say "hi"
freenode IRC

View Slide

Questions?
@beausimensen • beau.io
@thatpodcast • thatpodcast.io
beau.io/talks
joind.in

View Slide

Beau Simensen
@beausimensen
+BeauSimensen
beau.io

View Slide

Dragonfly Development
@dflydev
dflydev.com

View Slide

Managing Dependencies with Composer (php[tek] 2015)

Managing Dependencies with Composer (php[tek] 2015)

Beau Simensen

More Decks by Beau Simensen

Other Decks in Programming

Featured

Transcript