Adrian Cardenas
Web developer focusing on PHP, JS, HTML, CSS.
Essential
Composer
by
Adrian Cardenas (@aramonc)
04/21/2013
What is composer
-
Not a package manager
-
Dependency manager
-
Based on NPM & Ruby's Bundler
- Why not use PEAR?
Features
- Download PHP libraries/packages
your project depends on - Specify version of each dependency
(using semantic versioning) - Download dependencies of your dependencies
- Writes autoloader file and class map
of dependencies - Supports PSR-0, but not required
- Creates projects based on packages*
- Can use multiple repositories
Semantic Versioning
- x.y.Z (Patch version) - Backwards compatible
bug fixes introduced. - x.Y.z (Minor version) - New features introduced
that are backwards compatible. Or feature is
deprecated - X.y.z (Major version) - New features introduced
that are not backwards compatible - Number increase by one (i.e. 1.9.0, 1.10.0, 1.11.0)
- An increase in one version resets the version
to the right back to zero
Example: An increase to the minor version from
1.9.3 would mean the next version is 1.10.0
Installation
-
http://www.getcomposer.org/composer.phar
- Curl
curl -sS https://getcomposer.org/installer | php -
Can install globally
curl -sS https://getcomposer.org/installer | php $ mv composer.phar /usr/local/bin/composer - Windows Installer
- Requires PHP 5.3+
Composer.json
{
"require": {
"vendor/package": "1.3.2",
}
}- Require line composed of
vendor name, package name, & version - Needs to be in the root of the project
along with composer.phar - Can also specify "require-dev" which will only
be installed if the --dev flag is passed to the install
command or --no-dev is omitted from update
{
"require-dev" : {
"firephp/firephp-core": "0.4.0@rc2"
}
}
Versions
- Version can be exact as above
- Can request specific stability level
{ "require": { "monolog/monolog": "1.0.*@beta", "acme/foo": "@dev" } } - Stability: @dev, @alpha, @beta, @rc, & @stable (default)
- Can request specific commits via #<ref>
{ "require": { "acme/foo": "1.0.x-dev#abc123" } }
Relative Versions
-
X.Y.* - Match the latest stable minor version
(i.e. 1.2.3 will be selected rather than 1.2.2) -
>= X.Y.Z, < A.B.C - Match a range of versions
(i.e. any stable version between 1.2.3 & 2.0.0) -
~X.Y.Z - Match next significant release
(i.e. ~1.2 will match up to 1.9, ~1.1.3 will match 1.1.99)
Packagist.org
- Search for packages
- See package requirements & recommendations
- List of every version registered
- Dependency declaration for each version
Creating a Project
- Certain packages can be used to create projects
php composer.phar create-project -sdev --repository-url="http://packages.zendframework.com" zendframework/skeleton-application path/to/install
This is the equivalent of doing a git clone/svn checkout followed by a composer install of the vendors.
- Or clone the project and run
php composer.phar install - Dependencies will be installed in the vendor directory
Composer.lock file
- The composer.lock file is created after
the first install command is run - It locks the project to the specific version
of the dependencies installed - If lock file is present, install command will ignore
json file and install versions from lock file - Composer.lock file should be commited to VCS
composer.json
{
"require" : {
"aws/aws-sdk-php-zf2": "1.0.*"
}
}
php composer.phar install
composer.lock contains
{
"require" : {
"aws/aws-sdk-php-zf2": "1.0.1"
}
}
Composer.lock file
- All future clones of the project will install
version 1.0.1 - To upgrade a dependency run
php composer.phar update- Update command installs the latest version
- Changes the installed version on the lock file
- Lock file should be recommitted
along with composer.json
Autoloader
- Install command creates autoloader
- Include with
require "vendor/autoload.php";
Listing on Packagist
- Package must be on a VCS repository
(GitHub, BitBucket, private etc.) - Repository does not have to be public
as long as the web user has
access to the repository - Packagist crawls the repository for branches
and the composer.json file - The information gets displayed on the package page
Package Name
- To Packagist, all projects are unnamed
libraries until they have a name - Names cannot change
- Need to be unique enough to avoid conflicts
- Name should be composed of vendor &
package name separated by "/"
Composer.json again
{
"name": "monolog/monolog",
"type": "library",
"description": "Logging for PHP 5.3",
"keywords": ["log","logging"],
"homepage": "http://github.com/Seldaek/monolog",
"license": "MIT",
"authors": [
{
"name": "Jordi Boggiano",
"email": "j.boggiano@seld.be",
"homepage": "http://seld.be",
"role": "Developer"
}
],
"require": {
"php": ">=5.3.0"
},
"autoload": {
"psr-0": {
"Monolog": "src"
}
}
}Requiring Platform Packages
- Virtual packages that exists in the system
but are not installable by Composer
- Can constrain versions
- "php" key references version of PHP
- "ext-<name>" references PHP extensions
- "lib-<name>" references libraries PHP can use
such as curl
Versions
- Versions detected through branch names
or tags - The version key on the json file is
not recommended - For versions to be used must conform to
Semantic Versioning - Leverage stability flags on tags for users
(i.e. 2.3.0-alpha1)
Autoloading
- PSR-0 autoloading for classes by defining
root path{ "autoload": { "psr-0": { "Certatim": "src/" } } } - Classmap autoloading by defining include
directories{ "autoload": { "classmap": ["src/", "lib/", "MyClass.php"] } } - Specific file autoloading
{ "autoload": { "files": ["src/MyLibrary/functions.php"] } }
Further Reading
Essential Composer
By Adrian Cardenas
Essential Composer
A brief introduction to Composer for project dependency management and Packagist for library/package distribution.
- 2,461
