The Knowledge Hub

Appearance

4. Managing Dependencies with Composer

In the previous chapter, we introduced Composer and explored its basic features. In this chapter, we'll delve deeper into Composer and look at how to manage dependencies with it.

Section 4.1: Updating Dependencies

As we discussed in the previous chapter, Composer creates a composer.lock file that lists all the installed dependencies and their versions. When you run composer install, Composer installs the exact versions of each package specified in the composer.lock file.

However, what happens when you want to update a package to a newer version? In this case, you can run the composer update command. This command updates all packages to their latest versions that satisfy the version constraints specified in the composer.json file. After updating the packages, Composer generates a new composer.lock file that lists the updated versions.

It's important to note that updating packages can introduce incompatibilities or break your application if the updated package contains breaking changes. To avoid this, it's recommended to update packages in a development environment and thoroughly test the updated code before deploying to production.

Section 4.2: Installing Packages

Composer provides a simple and efficient way to install packages and manage dependencies in your PHP project. In this section, we will discuss how to install packages using Composer.

To install a package using Composer, you need to use the require command.

For example,

If you want to install the monolog/monolog package, you can run the following command in your terminal or command prompt:

bash
composer require monolog/monolog

This will download the latest version of the monolog/monolog package and add it to your project's composer.json file. Composer will also create a vendor directory in your project's root directory, which contains all the dependencies required by your project.

You can also specify a specific version of a package to install using the following command:

bash
composer require monolog/monolog:1.0.0

This will install version 1.0.0 of the monolog/monolog package.

You can also install multiple packages at once by specifying their names separated by spaces:

bash
composer require monolog/monolog symfony/console guzzlehttp/guzzle

This will install the monolog/monolog, symfony/console, and

guzzlehttp/guzzle packages.

Additionally, you can also install packages as dev dependencies by using the --dev flag:

bash
composer require --dev phpunit/phpunit

This will install the phpunit/phpunit package as a development dependency, which means it will not be included in the production build of your project.

In summary, installing packages using Composer is a straightforward process that can be done with a single command. Composer takes care of resolving package dependencies and downloading the required packages from the internet, making it an essential tool for managing PHP dependencies in modern projects.

Section 4.3: Removing Packages

Removing packages is a common task when working with Composer. It can be necessary when a package is no longer needed, or when upgrading to a new version of a package that requires a different set of dependencies.

To remove a package, you can use the composer remove command followed by the name of the package you want to remove.

For example,

To remove the monolog/monolog package from your project, you can run the following command:

bash
composer remove monolog/monolog

This command will remove the package from your project's composer.json file and uninstall it from your project's vendor directory.

If you want to remove a package and its dependencies that are no longer required by any other packages in your project, you can use the --no-require option.

For example:

bash
composer remove monolog/monolog --no-require

This command will remove the package and all its dependencies that are no longer required by any other packages in your project. Note that this can also remove other packages that are not directly related to the package you are removing, so use this option with caution.

It's important to note that removing a package can break your project if other packages in your project depend on it. Before removing a package, it's a good idea to check if any other packages in your project depend on it and whether removing it will cause any issues. You can use the composer depends command to check the dependencies of a package.

bash
composer depends monolog/monolog

This command will show you a list of packages that depend on the monolog/monolog package. If any of these packages are still required in your project, you may want to consider keeping the monolog/monolog package or finding an alternative package that meets your needs.

In summary, removing packages with Composer is a straightforward process that can be done with the composer remove command. However, it's important to be cautious when removing packages as it can potentially break your project if other packages depend on it.

Section 4.4: Installing Specific Versions

One of the key features of Composer is the ability to install specific versions of packages. This can be helpful if you need to maintain compatibility with a specific version of a package, or if you need to test your code against multiple versions of a package.

To install a specific version of a package, you can specify the version number when running the composer require command.

For example, to install version 2.0.0 of the monolog/monolog package, you would run the following command:

bash
composer require monolog/monolog:2.0.0

You can also use a range of version constraints to specify which versions of a package to install.

The most common version constraints are:

  1. ^: Allows the most recent minor version (i.e., the version number to the right of the first decimal point) but keeps the major version (i.e., the number to the left of the first decimal point) constant.

For example, ^2.0.0 would allow any version from 2.0.0 to 2.999.999 but not 3.0.0 or higher.

  1. ~: Allows the most recent patch version (i.e., the version number to the right of the second decimal point) but keeps the major and minor versions constant.

For example, ~2.0.0 would allow any version from 2.0.0 to 2.0.999 but not 2.1.0 or higher.

  1. >=, >, <=, <: Allows any version that meets the specified comparison operator.

For example, >=2.0.0 would allow any version 2.0.0 or higher.

  1. *: Allows any version of the package.

For example, to allow any version of the monolog/monolog package that is compatible with version 2.0.0, you would run the following command:

bash
composer require monolog/monolog:^2.0.0

When you install a specific version of a package, Composer will generate a lock file (composer.lock) that specifies the exact version of each dependency that should be installed. You can commit this lock file to your version control system to ensure that all developers and servers are using the same versions of packages.

To install the packages specified in the lock file, you can run the composer install command. This will ensure that you have the exact versions of each dependency that you need.

Alternatively, you can install a package by specifying a Git branch, tag, or commit hash. For example, to install a package from a Git repository at a specific commit hash, you can run the following command:

bash
composer require vendor/package:dev-master#abcdef

This command installs the vendor/package package from the dev-master branch at the abcdef commit hash.

Section 4.5: Using Private Packages

While Composer is widely used for managing dependencies for open-source projects, it is also a powerful tool for managing dependencies for private projects. In this section, we will explore how to use private packages with Composer.

Private packages are packages that are not publicly available on Packagist or any other public repository. These packages can be hosted on private repositories such as GitHub, GitLab, or Bitbucket.

To use private packages with Composer, you need to specify the repository where the package is hosted.

This can be done by adding a new entry to the repositories section in your composer.json file.

json

{
	"repositories":[
		{
			"type":"vcs",
			"url":"https://github.com/username/repo"
		}
	],
	"require":{
		"username/repo":"dev-master"
	}
}

In the above example,

We have added a new repository entry for a package hosted on GitHub. We have specified the repository type as "vcs" and provided the URL to the repository. We have also added the package to the require section using the username/repo format and specified the version constraint as "dev-master".

Once you have added the repository entry and specified the package in the require section, you can install the package using the composer install or composer update command.

bash
composer install

If the package requires authentication, you will need to provide your credentials to Composer. This can be done by creating a personal access token on the hosting platform and adding it to the composer.json file.

json

{
	"config":{
		"github-oauth":{
			"github.com":"TOKEN"
		}
	}
}

In the above example,

We have added a new config section to the composer.json file and specified the GitHub OAuth token for authentication.

Using private packages with Composer can greatly simplify the process of managing dependencies for private projects. By hosting your own packages, you have full control over the versioning, updates, and security of your dependencies.

Private repository

In addition to installing packages from public repositories like Packagist, you can also install packages from private repositories. This is useful for companies or organizations that want to share code between their own projects but don't want to make the code publicly available.

Composer supports various private package repositories, including Satis and Toran Proxy. These tools allow you to create a private repository that hosts your own packages, which can be installed using Composer.

To use a private package repository with Composer, you need to specify the repository URL in your composer.json file.

For example,

If you're using Satis, you can add the following code to your composer.json file:

json

{
	"repositories":[
		{
			"type":"composer",
			"url":"https://example.com/satis"
		}	
	
	]
}

This code specifies a private repository hosted at

https://example.com/satis/.

Once you've added this code to your composer.json file, you can install packages from the private repository using the composer require command, just like you would with public packages.

html
https://github.com/thusithawijethunga/php-dependency-management/blob/main/satis-repository/my-project/composer.json

Section 4.6: Using Composer Autoloading

One of the key features of Composer is its ability to generate autoloading files for your project's classes, allowing you to easily use and reference them without having to manually include or require them in your code. This saves time and effort, and also helps to ensure that your code is well-organized and maintainable.

To use Composer autoloading, you first need to define the namespaces and directories for your project's classes in the composer.json file, using the "autoload" section.

For example:

json
{
	"autoload":{
		"psr-4":{
			"MyNamespace\\":"src/"
		}
	}

}

This configuration tells Composer to look for classes in the "src/" directory and load them under the "MyNamespace" namespace. Note that the "psr-4" autoloading standard is used here, which maps the namespace to the directory structure in a predictable and consistent way.

Once you have defined your autoloading rules, you can generate the autoload files by running the following command in the terminal:

bash
composer dump-autoload

This will generate a new file called "vendor/autoload.php" that contains all the necessary code to autoload your project's classes. You can then include this file at the beginning of your PHP scripts to make sure all the necessary classes are loaded:

php
<?php

require_once __DIR__ . '/vendor/autoload.php';

This line should be added at the beginning of any PHP file that uses classes defined in your project.

Composer also provides an alternative autoloading method called "classmap", which allows you to specify individual files or directories to load all the classes in. This can be useful in cases where the class files do not follow the standard naming conventions, or when the classes are located in multiple directories. Here is an example configuration for classmap autoloading:

json
{
	"autoload":{
		"classmap":{
			"src/MyClass.php",
			"lib/OtherClass.php"
		}
	}
}

This configuration tells Composer to load the "MyClass.php" file from the "src/" directory and the "OtherClass.php" file from the "lib/" directory.

In general, using the PSR-4 autoloading standard is recommended, as it provides a more predictable and maintainable way to autoload classes. However, there may be cases where the classmap autoloading method is more appropriate, depending on your project's requirements.

Overall, Composer autoloading is a powerful feature that can greatly simplify your project's code structure and organization. By taking the time to set up and configure autoloading, you can save time and effort in the long run, and make your code more modular and maintainable.

Section 4.7: Managing Composer Cache

Composer uses a cache to store downloaded packages and their dependencies to speed up future installations and updates. The cache can be managed with the composer clear-cache command, which clears the cache and frees up disk space.

bash
composer clear-cache

In addition, Composer also provides the ability to store packages globally on the system to reduce the amount of duplication across projects. This can be achieved by running the following command:

bash
composer global require package/name

To remove a globally installed package, this can be achieved by running the following command:

bash
composer global remove phpunit/phpunit

By default, Composer stores its cache in the ~/.composer/cache directory on Unix-based systems or

%APPDATA%/Composer/cache on Windows.

You can manage the cache in several ways:

  1. Clear the entire cache using the composer clear-cache command. This will remove all cached packages and metadata.
  2. Remove specific packages from the cache using the **composer clear-cache <package>** command. This will remove the cached package and its metadata.
  3. Disable the cache for specific commands using the --no-cache option. For example, to disable the cache for the install command, run composer install --no-cache.
  4. Change the cache directory using the --cache-dir option. For example, to set the cache directory to /tmp/composer-cache, run composer install --cache-dir=/tmp/composer-cache.
  5. Use a custom cache directory for a specific package by setting the cache-files-dir option in the composer.json file. This option can be used to cache specific files that are frequently requested by the package.

It's important to note that the Composer cache is designed to be safe to delete at any time, and clearing the cache will not affect the functionality of your project or its dependencies. However, clearing the cache may slow down subsequent dependency resolution and installation operations as the cache needs to be rebuilt.

Section 4.8: Handling Conflicts with Composer

When using Composer to manage dependencies in your PHP project, you may encounter conflicts between different packages. Conflicts occur when two or more packages require different versions of the same package, or when two or more packages provide conflicting functionality.

Composer includes a built-in conflict resolution system to help you manage these conflicts. When a conflict is detected, Composer will attempt to resolve it by selecting the best possible version of each package that meets all of the requirements.

Here are some tips for handling conflicts with Composer:

  1. Keep your dependencies up-to-date: It's important to keep your dependencies up-to-date to avoid conflicts caused by using outdated packages. Composer makes it easy to update your dependencies by running the composer update command.
  2. Understand version constraints: Make sure you understand how version constraints work in Composer. By default, Composer uses semantic versioning (semver) to manage dependencies. This means that packages are versioned using a three-part scheme: major version, minor version, and patch version. You can specify version constraints in your composer.json file using a range of operators, including ~, ^, and >=.
  3. Use the composer why-not command: If you encounter a conflict with Composer, you can use the composer why-not command to see why a certain package is being installed and what conflicts are preventing it from being installed.
  4. Manually resolve conflicts: In some cases, you may need to manually resolve conflicts by editing your composer.json file. You can specify specific package versions or version ranges to resolve conflicts. Be careful when doing this, as it can lead to more conflicts down the line.
  5. Use the composer prohibits command: The composer prohibits command can be used to list all packages that cannot be installed due to conflicts with existing packages.
  6. Use aliases: If you have a package that requires a specific version of a dependency, but another package requires a different version, you can use aliases to create a separate version of the dependency for the conflicting package.
  7. Use the --no-update flag: When installing or updating packages, use the --no-update flag to prevent Composer from automatically updating dependencies. This can help you avoid conflicts by allowing you to manually update dependencies one at a time.
  8. Use the --ignore-platform-reqs flag: If you're running into conflicts due to platform requirements (e.g., a package that requires a specific version of PHP), you can use the --ignore-platform-reqs flag to bypass these requirements and install the package anyway. However, be aware that this can cause compatibility issues.

By following these tips, you can effectively manage conflicts when using Composer to manage dependencies in your PHP projects.

Use Aliases:

When working with large codebases or importing multiple namespaced classes, you may find that typing out the full namespace every time you reference a class can be time-consuming and error-prone. In PHP, you can use the "use" keyword to define an alias for a fully-qualified class name.

For example, instead of typing:

php
<?php

$logger = new Psr\Log\Logger();

You can define an alias for the Psr\Log\Logger class:

php
<?php

use Psr\Log\Logger;

$logger = new Logger();

You can also alias specific class methods, constants, and even function names:

php
<?php

use Symfony\Component\Console\Output\ConsoleOutput;

$output = new ConsoleOutput();

In this example, we are importing the "ConsoleOutputInterface" class from the "Symfony\Component\Console\Output" namespace, but using an alias of "OutputInterface" for brevity.

Use aliases can make your code more readable and save you time and effort when typing out class names. However, it's important to use them judiciously and avoid creating overly generic aliases that could cause confusion or conflicts with other code.

Section 4.9: Creating Your Own Packages

Creating your own packages can be a powerful way to reuse code across projects and to share your work with others. Composer provides a straightforward way to create and publish your own PHP packages.

To create your own package, you first need to define its structure. Composer follows a convention-based approach for defining package structures, which is based on the PSR-4 autoloading standard.

Here are the steps to create a simple package using Composer:

  1. Create a new directory for your package, and navigate to it in the command line.
  2. Create a new composer.json file in this directory, and define the package name, version, and any dependencies. You should also define the autoloading rules for your package, using the PSR-4 standard.

Here is an example of a composer.json file:

json
{
	"name": "your-username/your-package-name",
	"version": "1.0.0",
	"description": "A short description of your package",
	"authors": [
		{
			"name": "Your Name",
			"email": "your.email@example.com"
		}
	],
	"require": {},
	"autoload": {
		"psr-4": {
			"YourNamespace\\": "src/"
		}
	}
}
  1. Create a src directory, and place your PHP files inside it. These files should be namespaced according to the PSR-4 autoloading standard.

For example, if you defined the autoloading rule

"YourNamespace\\": "src/", then you should place your PHP files inside the src/ directory, and namespace them as namespace YourNamespace;.

  1. Commit your package to a version control system such as Git, and push it to a hosting service such as GitHub or GitLab.
  2. Publish your package to Packagist, which is the main repository for Composer packages. To do this, you need to create an account on Packagist, and then add your package's repository URL to your account. Once your package is published to Packagist, it can be installed by other users using Composer.

Note that creating your own package can be a complex process, and there are many additional considerations to keep in mind. For example, you may want to include tests, documentation, and examples with your package. However, the basic steps outlined above should be enough to get you started.

Section 4.10: Understanding Composer's Dependency Resolution

Dependency resolution is one of the most important features of Composer. It is the process of determining which versions of dependencies should be installed based on the requirements specified in the composer.json file.

When you run the composer install or composer update command, Composer analyzes the dependencies specified in the composer.json file and the constraints specified in the composer.lock file (if it exists) to determine the exact versions of the required packages that need to be installed.

The process of dependency resolution involves several steps:

  1. Reading the composer.json file to determine the required dependencies for the project.
  2. Checking the composer.lock file (if it exists) to determine if any specific version constraints have already been specified.
  3. Determining the latest version of the required package that matches the version constraints.
  4. Resolving conflicts between different packages that have different version requirements or dependencies.
  5. Creating a dependency tree that shows the relationships between all the required packages and their dependencies.
  6. Installing the required packages and their dependencies based on the dependency tree.

In some cases, Composer may not be able to resolve all the dependencies automatically. This can happen when there are conflicting version constraints or dependencies that cannot be resolved. In such cases, Composer will display an error message indicating the conflict and provide suggestions on how to resolve it.

To avoid such conflicts, it is recommended to specify exact version constraints in the composer.json file whenever possible. This ensures that the same package versions are installed across all environments and prevents unexpected behavior due to version mismatches.

Overall, Composer's dependency resolution process makes it easy to manage complex dependency trees and ensures that all dependencies are installed correctly and consistently across different environments.

Section 4.11: Using Composer with Frameworks and CMSs

Composer is widely used in the PHP community for managing dependencies in frameworks and CMSs. Many popular PHP frameworks and CMSs, such as Laravel, Symfony, and Drupal, use Composer to manage their dependencies.

When using a framework or CMS that relies on Composer, you typically don't need to interact with Composer directly. Instead, you can use the framework or CMS's own command-line tools or web interfaces to manage your dependencies.

For example, in Laravel, you can use the composer require command to add a new package to your project, like this:

bash
php artisan composer require vendor/package

This command is equivalent to running composer require directly, but it also updates the composer.json file and runs composer install to install the new package.

Similarly, in Drupal, you can use the composer require command to add a new module or library to your project, like this:

bash
composer require drupal/module_name

This will add the specified module to your project and update the composer.json file.

By using Composer with frameworks and CMSs, you can take advantage of their built-in support for managing dependencies, while still enjoying the benefits of Composer's powerful dependency management capabilities.

Section 4.12: Most Common Composer Commands

Composer has several commands that are commonly used to manage dependencies in a PHP project.

Here are some of the most frequently used Composer commands:

  1. composer install: Installs all the dependencies listed in the composer.lock file.
  2. composer update: Updates all the dependencies to their latest version and creates a new composer.lock file.
  3. composer require: Adds a new dependency to the project and updates the composer.json and composer.lock files.
  4. composer remove: Removes a dependency from the project and updates the composer.json and composer.lock files.
  5. composer show: Displays information about the installed packages.
  6. composer outdated: Shows a list of installed packages that have newer versions available.
  7. composer self-update: Updates the Composer itself to the latest version.
  8. composer dump-autoload: Generates a new autoload file based on the current composer.json file.
  9. composer validate: Validates the composer.json file to ensure it is syntactically valid.
  10. composer init: Initializes a new composer.json file in the current directory.
  11. composer global require: This command is used to install a package globally, which means it will be available to all projects on your system.
  12. composer clear-cache: This command clears the cache and should be used when you suspect an issue with the cache.
  13. composer global remove: This command is used to remove a package that was previously installed globally.

These commands can be executed in the terminal by navigating to the root directory of the project.

Section 4.13: Version Constraints

In order to avoid compatibility issues and ensure that the correct versions of dependencies are installed, Composer allows you to specify version constraints for each package in your composer.json file.

Version constraints in Composer are used to specify which versions of a package are acceptable for installation. These constraints are used to ensure that the required version of a package is compatible with the rest of the project's dependencies.

There are two main types of version constraints: exact constraints and range constraints.

Exact constraints allow you to specify a specific version of a package that is required for your project. This is useful when you want to ensure that a specific version of a package is used in your project, regardless of any updates that may be available. Exact constraints are specified using the syntax "package-name: version".

Example:

json
{
	"require":{
		"monolog/monolog":"1.25.3"
	}
}

Range constraints, on the other hand, allow you to specify a range of acceptable versions for a package. This is useful when you want to allow for updates to the package, but still ensure that the updates are within a specific range of versions. Range constraints are specified using various operators.

The available operators are:

  • `>` Greater than
  • `<` Less than
  • `>=` Greater than or equal to
  • `<=` Less than or equal to
  • `~` Approximately equal to
  • `^` Compatible with

The `>` and `<` operators specify that the required version must be strictly greater or less than the specified version, respectively. The `>=` and `<=` operators specify that the required version must be greater than or equal to, or less than or equal to, the specified version, respectively.

The `~` operator allows for approximate matching, meaning that it allows for updates to the package, but only up to a certain point.

For example, specifying "~1.2.3" would allow for updates up to version 1.3, but not version 2.0.

The `^` operator is similar to the `~` operator, but with a slightly different behavior. It allows for updates to the package, but only up to the next major version.

For example, specifying "^1.2.3" would allow for updates up to version 2.0, but not version 3.0.

json
{
	"require":{
		"monolog/monolog":"^2.0"
	}
}

This tells Composer to install any version of the monolog/monolog package that is greater than or equal to version 2.0.0, but less than version 3.0.0.

Section 4.14: Publishing Packages

Composer not only helps you manage dependencies, but it also makes it easy to publish your own packages. With Composer, you can create your own package, add it to Packagist, and make it available for others to use.

To create a new package, you need to create a composer.json file in the root of your project. This file should contain information about your package, such as its name, version, and dependencies.

Here is an example composer.json file for a package named "my-package":

json
{
	"name": "my-vendor/my-package",
	"description": "My Package",
	"version": "1.0.0",
	"license": "MIT",
	"authors": [
		{
			"name": "Thusitha Avinda",
			"email": "thusithawijethunga@gmail.com"
		}
	],
	"require": {
		"monolog/monolog":"^2.0"
	}
}

Once you have created your package, you can add it to Packagist by following these steps:

  1. Create an account on Packagist.
  2. Log in to your Packagist account.
  3. Click on "Submit" at the top of the page.
  4. Enter the name of your package (e.g. "my-vendor/my-package").
  5. Click on "Submit".
  6. Wait for Packagist to index your package.

Once your package is added to Packagist, others can use it by adding it to their composer.json file and running composer update.

html
https://github.com/thusithawijethunga/php-plugin/blob/main/composer.json
json
{
    "name": "thusitha/php-plugin",
    "description": "php plugin",
    "keywords": [
        "php",
        "plugin"
    ],
    "license": "MIT",
    "type": "library",
    "require": {
        "guzzlehttp/guzzle": "^7.1"
    },
    "autoload": {
        "files": [
            "src/helper.php"
        ],
        "psr-4": {
            "Thusitha\\PhpPlugin\\": "src/"
        }
    },
    "authors": [
        {
            "name": "Thusitha Avinda",
            "email": "thusithawijethunga@gmail.com",
            "homepage": "https://github.com/thusithawijethunga",
            "role": "Owner"
        }
    ],
    "homepage": "https://github.com/thusithawijethunga",
    "prefer-stable": true
}

Conclusion

In this chapter, we've explored how to manage dependencies with Composer. We've looked at how to update, install, and remove packages, how to specify specific versions, how to use private package repositories, and how to use Composer autoloading. We've also discussed how to create and publish your own packages. In the next chapter, we'll look at some best practices for managing dependencies with Composer.

All content, including books, text, and media, on this website is the intellectual property of the author and is protected by copyright laws. Unauthorized copying, distribution, or use of any material on this site is strictly prohibited without explicit written permission from the author W G T Avinda.

© 2019-2025 All Rights Reserved.