1. Avoid Version Chaos
PHP Dependency Management with Composer

2. Shameless Self-Promotion
Who Am I?
● David Weingart
● PHP user since 2001
● Currently Web Development Manager at the
UNH InterOperability Laboratory
● Twitter: @dweingart
● https://www.linkedin.com/in/dbweingart

3. What is Composer?
● Composer is a dependency manager for
PHP
o It downloads, installs, and loads dependencies you
specify in a composer.json file
● A dependency is any code that your
application requires in order to function
o Think libraries like Monolog or Doctrine, or
frameworks like Symfony or Laravel

4. Why use Composer?
● You could just download the libraries you
need, right?
o Sure, but Composer has the following benefits:
 Declarative dependencies
 Handles recursive dependencies
 Easy autoloading of packages
 Integration with Packagist

5. ● Unix systems (Linux/Mac OS X)
o curl -Ss https://getcomposer.org/installer > installer.php
o vim installer.php # Verify the download is not malicious
o php installer.php --install-dir=/usr/local/bin --filename=composer
 Composer installed globally as /usr/local/bin/composer
o Don’t follow the instructions on the download page to pipe the installer through PHP
without looking at the code.
● Windows
o Download the Composer windows installer and run it
 https://getcomposer.org/Composer-Setup.exe
Installation

6. Hello World
$ composer init
● Init will interactively create an initial composer.json
file for you

7. Sample Composer.json
{
"name": "dweingart/hello-world",
"description": "Basic Composer demonstration",
"require": {
"slim/slim": "2.*",
"slim/views": "*",
"twig/twig": "1.*"
},
"license": "BSD",
"authors": [
{
"name": "David Weingart",
"email": "dweingart@pobox.com"
}
]
}

8. Declaring Dependencies
● Declare dependencies in the “require”
section of composer.json
o Dependencies consist of a package name and a
version specification
 Package names are vendor/package
● twig/twig is the Twig template engine, and twig/extensions is
the official Twig extensions package
o Packages are installed from a repository
 Default repository is Packagist (you can add more)

9. Version Specification
● Exact version: 1.2.3
● Wildcard: 1.2.*
● Range: >=1.0,<1.2
o With ranges you can exclude a known-bad release
● Next Significant Release: ~1.2
o Equivalent to >=1.2,<2.0
● Version specifications interact with the stability-flag
setting. You can also set per-package stability flags.

10. Composer Update
$ composer update <package>
● Will update the code in your vendor directory to the latest versions
based on your version specifications
● Example:
o Version specification: 1.2.*
o Current installed version: 1.2.3
o Latest release: 1.2.10
o Update will download and install 1.2.10
● Updates the composer.lock file with the exact versions installed
● Be careful with update as it has the potential to break your application
o Revert a bad update by reverting the lock file and running install

11. Composer Install
$ composer install
● Downloads and installs the exact versions of the packages defined in
the composer.lock file
o Exception: if there’s no lock file it uses composer.json and
performs an update to generate an initial lock file
● Production systems should never use composer update and should
only use composer install

12. Integration with VCS
● Do: Check composer.json and
composer.lock into version control
● Don’t: Check in the vendor directory

13. Autoloader
● Composer includes a handy autoloader for
any class that it manages
● You can also configure the autoloader to
load your own classes
o require 'vendor/autoload.php';
o $app = new SlimSlim();
o $db = new MyAppDBConnector();

14. Packagist
● Packagist is the main source of Composer
packages
● Pro: Anyone can submit packages
o Lots to choose from
● Con: Anyone can submit packages
o Due diligence is required

15. Advanced Features
● Repositories other than Packagist
o Composer can load packages from PEAR, Git,
Subversion, a private Packagist instance, or even a
zip file.
● require-dev
o Packages required only for testing (e.g. PHPUnit)
can be placed in a require-dev section and updated
separately.

16. Advanced Features
● Aliases
o To satisfy dependencies you can alias branch
names to versions
 "monolog/monolog": "dev-bugfix as 1.0.x-dev"
● Packages can include vendor binaries
o This is used by some frameworks to allow you to
quickly create new projects

17. WordPress Support
● WordPress
o No official support, but community efforts to support
installing WP core and plugins using Composer
o Resources
 Composer in WordPress
 WP Packagist
● Mirrors official WP themes and plugin directory as a
Composer repository

18. Drupal Support
● Drupal 8 will support composer for updating
core packages
● There exists today a Drupal 8 package in
Packagist

19. Security Notes
● Recommended installation method - don’t pipe
untrusted code to PHP
● Anyone can publish to Packagist without a security
review
● Falls back to regular HTTP without warning
● Packages can register scripts that execute on install
(but you can disable this)
● Does not validate SSL certificates
● No code signing yet

20. Resources
● Composer Documentation
● Packagist
● Presentation: Composer & You
o An opinionated look at Composer and running your
own package repository by @MrDanack
● Accelerate Drupal 8 Development