PHP Dependency Management with Composer
Upcoming SlideShare
Loading in...5

PHP Dependency Management with Composer



A soup to nuts presentation on using Composer and repository servers to manage and leverage shared code libraries for personal projects to the largest enterprise.

A soup to nuts presentation on using Composer and repository servers to manage and leverage shared code libraries for personal projects to the largest enterprise.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    PHP Dependency Management with Composer PHP Dependency Management with Composer Presentation Transcript

    • Sharing is Caring
    • Who Am I? • Selling Source Direct Lead Developer • Coupla CTO • Founder/Organizer of Las Vegas PHP Users Group • Co-Organizer of Las Vegas Developers Users Group • PHP Machinist Maintainer • #VegasTech Enthusiast Adam Englander @adam_englander
    • What is Dependency Management? Dependency management for this context is best described as the resolution and installation of library dependencies for a software project. This includes resolving potential conflicts between libraries and providing the dependencies for all libraries on the dependency tree.
    • Simple Example of Dependencies  My Project  PHP >= 5.5.0  Monolog >= 1.3.0, < 2.0 ○ PHP >= 5.3.0 ○ PSR Log >= 1.0, < 2.0
    • Sharing used to be hard
    • Legacy Solutions PEAR  PECL  Version Control System Sub-repositories (SVN, Git, Mercurial)  Directly adding dependencies to your codebase  Custom dependency manager  Write monolithic code bases 
    • PEAR – PHP Extension and Application Library     Multiple Repositories Private Repositories Sub-dependency version resolution Hundreds of libraries      One package install per server No common format for defining project dependencies Not extensible Each server had to be aware of repositories Publishing required
    • PECL– PHP Extension Community Library    Highly trusted libraries Hundreds of libraries Sub-dependency version resolution      One package install per server No common format for defining project dependencies No private repos Each server had to be aware of repositories Publishing required
    • VCS Sub-Repositories    Project based dependencies Private Repositories Potentially millions of libraries    Normally requires using the external library’s VCS No deep dependency management Need to monitor patches and updates to external libraries
    • Directly adding dependencies to your codebase    Project based dependencies Private Repositories Potentially millions of libraries    Project codebases have dependency code making them large and unwieldy You have to manually resolve all dependencies You have to test interoperability of all dependent libraries
    • Custom Repository Manager  If you can dream it, you can do it.   Difficult to write You must implement every feature and fix every bug
    • Monolithic Code Base   No need for dependency management Private Repositories      Harder to manage Harder to test Re-writing the same code in multiple projects. Maintaining the the same bug fixes in multiple projects. No leveraging of community code
    • DRY – Don’t repeat yourself or anyone else for that matter.
    • The Platform Composer – The fully self-contained and completely extensible client  Satis – The app for generating static servable repository data.  Packagist – The server for managing and maintaining dynamic repository data.  – The public Packagist server for open source libraries and projects. 21K+ packages. 
    • The alpha and the omega
    • Composer Overview  Command line client application for:      Searching repositories for packages Installing project skeletons Executing install/update hooks Managing project dependencies Managing project metadata Base code for servers  The only product on the platform necessary for managing dependencies in a project 
    • Installation There  Download the composer.phar from  Use the installer script from  Install from your *nix distro package manager (yum/apt/pkgsrc/homebrew)
    • Search the repositories vagrant:/$ composer search monolog monolog/monolog Sends your logs to files, sockets, inboxes, databases and various web services symfony/monolog-bundle Symfony MonologBundle symfony/monolog-bridge Symfony Monolog Bridge flynsarmy/slim-monolog Monolog logging support Slim Framework logentries/logentries-monolog-handler A handler for Monolog that sends messages to kamisama/monolog-init Very basic and light Dependency Injector Container for Monolog ddtraceweb/monolog-parser A parser for monolog log entries lexik/monolog-browser-bundle This Symfony2 bundle provides a Doctrine DBAL handler for Monolog and a web UI to display log entries graze/monolog-extensions Monolog extensions for use within Graze bazo/nette-monolog-extension Nette monolog compiler extension fancyguy/wordpress-monolog WordPress Monolog Integration kmelia/monolog-stdout-handler A handler for Monolog that sends messages to stdout (with color). support
    • Installing Project Skeletons vagrant:/$ composer create-project laravel/laravel --preferdist Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100% Created project in /tmp/laravel Loading composer repositories with package information Installing dependencies (including require-dev) - Installing filp/whoops (1.0.10) Downloading: 100% - Installing psr/log (dev-master 65f363a) Downloading: 100% …
    • Executing install/update hooks vagrant:/$ composer create-project laravel/laravel --prefer-dist Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100% … Writing lock file Generating autoload files Generating optimized class loader Application key [TzvXWZSq0MTEuqAEhzO0Vsq3yMbJZHP0] set successfully.
    • How to Setup Install/Update Hooks { "scripts": { "post-install-cmd": [ "php artisan optimize" ], "post-update-cmd": [ "php artisan clear-compiled", "php artisan optimize" ], "post-create-project-cmd": [ "php artisan key:generate" ] } }
    • Managing Project Dependencies: Overview A project can be initialized with the init command  Project dependencies can be configured by the command line or directly in the composer.json file.  The validate command will validate the composer.json file.  The composer.lock file will lock the revision/change number of the dependencies. 
    • Managing Project Dependencies: Overview (continued) The install command will install locked versions if composer.lock is present or act like the update command if not.  The update command will update the library versions and the composer.lock file.  Running the Composer binary without any commands will list the available commands.  Running the help command will provide help 
    • Managing Project Metadata: Overview  The composer specification allows for the following metadata:        Description – package description Type – I.E. project or library Keywords – Aid in searching repositories Homepage – Project homepage License – License type for the package Authors – Information about the authors Support – Information for obtaining support regarding the library
    • Managing Project Metadata: Example { "name": "composer/composer", "description": "Dependency Manager", "keywords": ["package", "dependency", "autoload"], "homepage": "", "type": "library", "license": "MIT", "authors": [ { "name": "Nils Adermann", "email": "", "homepage": "" } ], "support": { "irc": "irc://", "issues": "" } }
    • Managing Dependency Conflicts  You can manually resolve conflicts between in dependencies when:  Changing the version of one of the dependent packages that causes the conflict is not an option  The version you choose will not negatively effect either dependent package. "monolog/monolog": "1.7.0 as 1.6.0"
    • Applying Forks as Dependencies Alternate repositories can be used to provide versions with aliases  One of the following must be true for Composer to use an alternate repository:   The repository specifying the alias is listed before the repository containing original package in the composer.json file.  The repository containing original package does not have a version specified by the alias (risky)
    • Applying Forks as Dependencies: Example { "repositories": [ { "type": "vcs", "url": "" } ], "require": { "symfony/monolog-bundle": "2.0", "monolog/monolog": "dev-myfix as 1.0.x-dev” } }
    • Managing Repositories  Repositories hold package information in multiple types:       – Default repository Composer (Packagist/Satis/Manual) VCS (git/mercurial/subversion) PEAR – Using PEAR channels Artifact – Pre-built artifacts Package – Using libraries that All repositories except “Package” require a composer.json file.  Repository additions must be on the root package. 
    • Repository Will be the final repository searched  Enabled by default but can be disabled:  { "repositories": [ { "packagist": false } ] }
    • Composer Repository Provides a packages.json file.  Defined by URL. Path contains file.  Example inclusion:  { "repositories": [ { "type": "composer", "url": } ] }
    • VCS Repository Composer client will scan VCS repositories to find branches and tags with a composer.json file in the root.  Package name from the composer.json file.  Version is from the branch/tag name. Branch versions will be prefixed with dev-. 
    • Pear Repository  Composer access to existing PEAR channels. { repositories: [ { "type": "pear", "url": “”, “vendor-alias”: “phpunit” } ] }  Access repository packages via channel or alias  “”: “>=3.7.0”  “phpunit/PHPUnit”: “>=3.7.0”
    • Artifact Repository   Scans directory of zip files with composer.json files in the root of the zip. Uses package and version in composer.json file. { "repositories": [ { "type": "artifact", "url": "path/to/zips/dir” } ] }
    • Package Repository Defines the package and versions in the composer.json file.  Uses the same format as packages.json file from Composer repository.  Allows for providing shared code that is not available by any of the other means. 
    • Package Repository Example {“packages”: [ { "type": "package", "package": { "name": ”smarty/smarty", "version": ”3.1.7", "dist": { "url": "", "type": "zip” } } } ]}
    • Simple repository management for small organizations
    • Satis: Easy as Pie Maintain a JSON based meta-data file with the list of repositories to scour.  Execute the command and it will provide:   Composer compliant packages.json file  HTML file with instructions on adding the repository to a composer.json file as well as a filterable list.
    • Satis: Repository Cache If the archive section is configured in the Satis meta-data file, Satis will scan all repositories defined and create local archives  If options require-dependencies is set to true, it will also cache dependencies. This only works on known packages in the defined repositories.  Here’s a link to an excellent article on how to affectively cache 
    • Satis Metadata Example { "name": "My Repository", "homepage": "", "repositories": [ { "type": "vcs", "url": "" } ], "require-all": true }
    • Satis Conclusions      Simple to use Easy to deploy Full PHP implementation Uses static files for hosting Can cache repositories from VCS and Packagist     Requires management of a config file Becomes unwieldy for large numbers of packages Limited search and package information Requires shared disk for HA
    • The enterprise repository manager
    • Packagist…and a bag of chips Web based package management  Optimized search via Solr  Allows for high availability via MySQL  API for remotely triggering package scans  Package statistics 
    • Packagist Conclusions     Web based management interface Solr based search HA capable Virtually unlimited package management     No archives for non Github/BitBucket VCS repositories Complex architecture Requires MySQL and Solr knowledge and management Only VCS packages
    • Your one stop shop for open source projects and libraries
    • One Repository to Rule Them All 21,762 packages (1/7/2014)  Default package manager for Composer  Free accounts to register/maintain packages  Contains nearly every widely used open source PHP package  Just use it! 
    • Registering a package       Get a user Log in Click “Submit a Package” Enter the URL for your public repository Click “Check” Optionally but suggested: Register a commit hook to scan for updates on commit.  Github has a pre-configured hook  BitBucket can use a POST hook