Avoid Version Chaos
PHP Dependency Management with Composer
Shameless Self-Promotion
Who Am I?
● David Weingart
● PHP user since 2001
● Currently Web Development Manager at the
UNH I...
What is Composer?
● Composer is a dependency manager for
PHP
o It downloads, installs, and loads dependencies you
specify ...
Why use Composer?
● You could just download the libraries you
need, right?
o Sure, but Composer has the following benefits...
● Unix systems (Linux/Mac OS X)
o curl -Ss https://getcomposer.org/installer > installer.php
o vim installer.php # Verify ...
Hello World
$ composer init
● Init will interactively create an initial composer.json
file for you
Sample Composer.json
{
"name": "dweingart/hello-world",
"description": "Basic Composer demonstration",
"require": {
"slim/...
Declaring Dependencies
● Declare dependencies in the “require”
section of composer.json
o Dependencies consist of a packag...
Version Specification
● Exact version: 1.2.3
● Wildcard: 1.2.*
● Range: >=1.0,<1.2
o With ranges you can exclude a known-b...
Composer Update
$ composer update <package>
● Will update the code in your vendor directory to the latest versions
based o...
Composer Install
$ composer install
● Downloads and installs the exact versions of the packages defined in
the composer.lo...
Integration with VCS
● Do: Check composer.json and
composer.lock into version control
● Don’t: Check in the vendor directo...
Autoloader
● Composer includes a handy autoloader for
any class that it manages
● You can also configure the autoloader to...
Packagist
● Packagist is the main source of Composer
packages
● Pro: Anyone can submit packages
o Lots to choose from
● Co...
Advanced Features
● Repositories other than Packagist
o Composer can load packages from PEAR, Git,
Subversion, a private P...
Advanced Features
● Aliases
o To satisfy dependencies you can alias branch
names to versions
 "monolog/monolog": "dev-bug...
WordPress Support
● WordPress
o No official support, but community efforts to support
installing WP core and plugins using...
Drupal Support
● Drupal 8 will support composer for updating
core packages
● There exists today a Drupal 8 package in
Pack...
Security Notes
● Recommended installation method - don’t pipe
untrusted code to PHP
● Anyone can publish to Packagist with...
Resources
● Composer Documentation
● Packagist
● Presentation: Composer & You
o An opinionated look at Composer and runnin...
Upcoming SlideShare
Loading in …5
×

Nh php may 2014 - composer

350 views
235 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
350
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Nh php may 2014 - composer

  1. 1. Avoid Version Chaos PHP Dependency Management with Composer
  2. 2. Shameless Self-Promotion Who Am I? ● David Weingart ● PHP user since 2001 ● Currently Web Development Manager at the UNH InterOperability Laboratory ● Twitter: @dweingart ● https://www.linkedin.com/in/dbweingart
  3. 3. What is Composer? ● Composer is a dependency manager for PHP o It downloads, installs, and loads dependencies you specify in a composer.json file ● A dependency is any code that your application requires in order to function o Think libraries like Monolog or Doctrine, or frameworks like Symfony or Laravel
  4. 4. Why use Composer? ● You could just download the libraries you need, right? o Sure, but Composer has the following benefits:  Declarative dependencies  Handles recursive dependencies  Easy autoloading of packages  Integration with Packagist
  5. 5. ● Unix systems (Linux/Mac OS X) o curl -Ss https://getcomposer.org/installer > installer.php o vim installer.php # Verify the download is not malicious o php installer.php --install-dir=/usr/local/bin --filename=composer  Composer installed globally as /usr/local/bin/composer o Don’t follow the instructions on the download page to pipe the installer through PHP without looking at the code. ● Windows o Download the Composer windows installer and run it  https://getcomposer.org/Composer-Setup.exe Installation
  6. 6. Hello World $ composer init ● Init will interactively create an initial composer.json file for you
  7. 7. Sample Composer.json { "name": "dweingart/hello-world", "description": "Basic Composer demonstration", "require": { "slim/slim": "2.*", "slim/views": "*", "twig/twig": "1.*" }, "license": "BSD", "authors": [ { "name": "David Weingart", "email": "dweingart@pobox.com" } ] }
  8. 8. Declaring Dependencies ● Declare dependencies in the “require” section of composer.json o Dependencies consist of a package name and a version specification  Package names are vendor/package ● twig/twig is the Twig template engine, and twig/extensions is the official Twig extensions package o Packages are installed from a repository  Default repository is Packagist (you can add more)
  9. 9. Version Specification ● Exact version: 1.2.3 ● Wildcard: 1.2.* ● Range: >=1.0,<1.2 o With ranges you can exclude a known-bad release ● Next Significant Release: ~1.2 o Equivalent to >=1.2,<2.0 ● Version specifications interact with the stability-flag setting. You can also set per-package stability flags.
  10. 10. Composer Update $ composer update <package> ● Will update the code in your vendor directory to the latest versions based on your version specifications ● Example: o Version specification: 1.2.* o Current installed version: 1.2.3 o Latest release: 1.2.10 o Update will download and install 1.2.10 ● Updates the composer.lock file with the exact versions installed ● Be careful with update as it has the potential to break your application o Revert a bad update by reverting the lock file and running install
  11. 11. Composer Install $ composer install ● Downloads and installs the exact versions of the packages defined in the composer.lock file o Exception: if there’s no lock file it uses composer.json and performs an update to generate an initial lock file ● Production systems should never use composer update and should only use composer install
  12. 12. Integration with VCS ● Do: Check composer.json and composer.lock into version control ● Don’t: Check in the vendor directory
  13. 13. Autoloader ● Composer includes a handy autoloader for any class that it manages ● You can also configure the autoloader to load your own classes o require 'vendor/autoload.php'; o $app = new SlimSlim(); o $db = new MyAppDBConnector();
  14. 14. Packagist ● Packagist is the main source of Composer packages ● Pro: Anyone can submit packages o Lots to choose from ● Con: Anyone can submit packages o Due diligence is required
  15. 15. Advanced Features ● Repositories other than Packagist o Composer can load packages from PEAR, Git, Subversion, a private Packagist instance, or even a zip file. ● require-dev o Packages required only for testing (e.g. PHPUnit) can be placed in a require-dev section and updated separately.
  16. 16. Advanced Features ● Aliases o To satisfy dependencies you can alias branch names to versions  "monolog/monolog": "dev-bugfix as 1.0.x-dev" ● Packages can include vendor binaries o This is used by some frameworks to allow you to quickly create new projects
  17. 17. WordPress Support ● WordPress o No official support, but community efforts to support installing WP core and plugins using Composer o Resources  Composer in WordPress  WP Packagist ● Mirrors official WP themes and plugin directory as a Composer repository
  18. 18. Drupal Support ● Drupal 8 will support composer for updating core packages ● There exists today a Drupal 8 package in Packagist
  19. 19. Security Notes ● Recommended installation method - don’t pipe untrusted code to PHP ● Anyone can publish to Packagist without a security review ● Falls back to regular HTTP without warning ● Packages can register scripts that execute on install (but you can disable this) ● Does not validate SSL certificates ● No code signing yet
  20. 20. Resources ● Composer Documentation ● Packagist ● Presentation: Composer & You o An opinionated look at Composer and running your own package repository by @MrDanack ● Accelerate Drupal 8 Development

×