The document discusses leveraging Composer, a dependency manager for PHP projects, to manage and migrate libraries in existing software. It covers the benefits of using Composer, installation procedures, package versioning, and examples of various Composer commands, emphasizing the importance of cleaning up and organizing libraries for better project management. Additionally, it includes considerations for handling altered libraries and testing during updates, encouraging structured migration processes and communication among project teams.

1. Leveraging Composer
in Existing Projects
Mark Niebergall
https://joind.in/talk/774d7

2. About Mark Niebergall
• PHP since 2005
• Masters degree in MIS
• Senior Software Engineer
• Drug screening project
• UPHPU President
• CSSLP, SSCP Certified and SME
• Drones, fishing, skiing, father, husband

5. Leveraging Composer in
Existing Projects

6. Leveraging Composer in
Existing Projects
• Survey
- Have heard of composer?
- Are familiar with what composer is?
- Have used composer?
- Have contributed to composer?

7. Leveraging Composer in
Existing Projects
• My experience
- Large project that has been around a while
- Some older code areas
- Various architectural styles over the years
- Various libraries within the project

8. Leveraging Composer in
Existing Projects
• My experience
- Libraries scattered in project
- Some libraries were old
- Some libraries were even altered

9. Leveraging Composer in
Existing Projects
• My experience
- Made the effort to clean up libraries
- Identify libraries and versions
- Created user stories
- Made the migration

10. Leveraging Composer in
Existing Projects
• My experience
- Libraries were organized
- Visibility into libraries used
- Much easier to manage and upgrade
- Much easier to add new libraries

11. Leveraging Composer in
Existing Projects
• Objectives
- Know why and how to use composer
- Leverage composer in your projects

12. Leveraging Composer in
Existing Projects
• Topics
- What composer is
- Using composer
- Migrating libraries

13. What composer is

14. What composer is
• Created by Nils Adermann and Jordi Boggiano in 2012
• MIT license

15. What composer is
• https://getcomposer.org/
- Installation instructions
- Documentation

16. What composer is
• Dependency manager for PHP projects

17. What composer is
• Tool to manage libraries used by a project

18. What composer is
• Best practice for dependency management for PHP
projects

19. What composer is
• Manage libraries
- Add libraries to project
- Autoload libraries
- Versioning
- Library dependencies
- Remove libraries

20. What composer is
• Uses packagist for package information
- https://packagist.org/
- Submit packages to website
- Versions
- Dependencies
- Location

21. What composer is
• Handles autoloading
- Automatically includes package files when needed
- Use along with other project autoloaders
‣ require_once __DIR__ . ‘/../vendor/autoload.php’;
require_once __DIR__ . ‘/../src/Autoloader.php’;

22. What composer is

23. Using composer

25. Using composer
• Installing composer
• Adding packages
• Updating packages
• Removing package

26. Using composer
• Installing composer
- Download phar installer file
- Run installer with php
- Move to bin
- curl -s https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer

27. Using composer
• Installing composer
- Windows download https://getcomposer.org/
Composer-Setup.exe

28. Using composer
• Installing composer
- php /path/to/composer.phar command
- composer command

29. Using composer
• Installing composer
- Command line tool
- Are some UI helpers

30. Using composer
• composer package versioning

31. Using composer
• composer package versioning
- * = wildcard
- ~ = up to but not including next version
- ^ = up to but not including next major version

32. Using composer
• composer package versioning
- 4.5.2 means only 4.5.2

33. Using composer
• composer package versioning
- 4.5.* means 4.5 and below 4.6

34. Using composer
• composer package versioning
- ~4.5 means >= 4.5 and <5.0
- ~4.5.6 means >= 4.5.6 and < 4.6

35. Using composer
• composer package versioning
- ^4.5 means >= 4.5.0 and < 5
- ^4.5.6 means >= 4.5.6 and < 5
- Default versioning format if not specified

36. Using composer
• composer commands

37. Using composer
• composer commands
- composer init
- composer require
- composer install
- composer update
- composer create-project
- composer remove

38. Using composer

39. Using composer
• composer init

40. Using composer
• composer init
- Initialize a project with composer
- Creates autoloader
- Define basic settings
- Interactively install packages
- Creates composer.json file

41. Using composer
• composer init
{
"name": “mniebergall/composer",
"description": "Leveraging Composer in Existing Projects",
"authors": [
{
"name": "Mark Niebergall",
"email": “myemail@example.com”
}
],
"require": {}
}

42. Using composer
• composer require

43. Using composer
• composer require
- Add packages to a project
- Install the package plus dependencies

44. Using composer
• composer require
- Adds package to composer.json file
- Creates or updates the composer.lock file

45. Using composer
• composer require
- Package files are saved into the /vendor/ directory
- Autoloader is updated to load the package files
automatically

46. Using composer
• composer require
- Only run in development environment
- Not to be used in other environments

47. Using composer
• composer require
- composer require --dev vendor/package
‣ Only installs in development with ‘install’ command
• Testing frameworks (PHPUnit, behat, etc)
• Code analysis and statistics

48. Using composer
• composer require
- composer require --dev phpunit/phpunit
"require-dev": {
"phpunit/phpunit": "^6.3"
}

49. Using composer
• composer require
- composer require --dev fzaninotto/faker

50. Using composer
• composer require
- composer require --dev h4cc/phpqatools
‣ PHPUnit, PHP-Invoker, DbUnit, PHPLOC, PHPCPD,
PHP_Depend, PHPMD, PHP_CodeSniffer, Fabien
Potencier/PHP Coding Standards Fixer, Sensiolabs/
Security-Checker, and Behat

51. Using composer
• composer require
- composer require group/package
‣ See packagist for group/package
‣ Find project on GitHub, read the instructions
• Most will have composer installation command
• If not there are options

52. Using composer
• composer require
- composer require group/package VERSION
- composer require ramsey/uuid
- composer require ramsey/uuid 3.7
- composer require ramsey/uuid=^2.9
- composer require ramsey/uuid ^3.7

53. Using composer
• composer require
{
"name": “mniebergall/composer",
"description": "Leveraging Composer in Existing Projects",
"authors": [
{
"name": "Mark Niebergall",
"email": “myemail@example.com”
}
],
"require": {
"ramsey/uuid": “^3.7"
}
}

54. Using composer
• composer install

55. Using composer
• composer install
- Installs packages as defined in composer.lock file
- If no lock file then as defined in composer.json
‣ Generates composer.lock file

56. Using composer
• composer install
- composer install --no-dev
‣ Skips require-dev packages
‣ Use this in non-development environments
• We’ll discuss deployment considerations at the
end

57. Using composer
• composer install{
- phpsp, add this to composer.json
‣ "require-dev": {
"phpspec/phpspec": "^4.0"
},
"config": {
"bin-dir": "bin"
},
"autoload": {"psr-0": {"": “src”}}
‣ Then run composer install

58. Using composer
• composer update

59. Using composer
• composer update
- Updates packages to latest based on composer.json
contents
- Also updates necessary dependencies
- Updates content of composer.json and composer.lock
files

60. Using composer
• composer update
- composer update
‣ Update all packages
‣ Not recommended
- composer update group/package
‣ Target specific packages

61. Using composer
• composer update
- composer update group/package version
‣ composer update --dev phpunit/phpunit ^6

62. Using composer
• composer create-project

63. Using composer
• composer create-project
- New project from existing package
- Clones down repo, checkout, installs dependencies

64. Using composer
• composer create-project
- Skeleton projects
- Often used with projects using a framework
- Zend, Laravel, and others

65. Using composer
• composer remove

66. Using composer
• composer remove
- Removing lines from composer.json will not work
without a composer update

67. Using composer
• composer remove
- composer remove vendor/package
- Removes entry from composer.json
- Removes entry from composer.lock
- Removes dependencies
- Removes files from vendor directory

68. Using composer
• composer.json

69. Using composer
• composer.json
- Project configuration
- Packages to be used
- Package versions
- Used to generate composer.lock file

70. Using composer
• composer.json
- Can be manually updated
- Can run commands up update it
‣ composer require group/package

71. Using composer
• composer.json
- Define internally hosted packages
- Environment properties
‣ PHP version for compatibility

72. Using composer
• composer.lock

73. Using composer
• composer.lock
- Generated based on contents of composer.json
- Should not be manually edited
- Let composer manage contents

74. Using composer
• composer.lock
- Defines packages and dependencies to be installed
- composer install reads the composer.lock file

75. Using composer

76. Migrating libraries

77. Migrating libraries
• Benefits of migrating
• How to migrate

78. Migrating libraries
• Benefits of migrating
- Cleans the codebase
- Project only includes project files

79. Migrating libraries
• Benefits of migrating
- Centralizes library (package) management
- Easier library management

80. Migrating libraries
• Benefits of migrating
- Keep libraries current
‣ Bug fixes
‣ Security patches
‣ Features
‣ Performance

81. Migrating libraries
• How to migrate libraries

82. Migrating libraries
• How to migrate libraries
- Use source control
‣ Git (preferred)
‣ Mercurial

83. Migrating libraries
• How to migrate libraries
- Create user stories/tickets to track the progress

84. Migrating libraries
• How to migrate libraries
- Transparency with everyone impacted
‣ Development
‣ QA
‣ Project management
‣ Release team

85. Migrating libraries
• How to migrate libraries
- Identify libraries currently included in project
‣ Frameworks
‣ Tools
‣ Helpful libraries

86. Migrating libraries
• How to migrate libraries
- Identify libraries currently included in project
‣ Search for ‘@license’
‣ Tribal knowledge

87. Migrating libraries
• How to migrate libraries
- Vet libraries found
‣ Consolidation? ex: can framework do that?
‣ Secure?
‣ Altered? Run a compare? If so why?

88. Migrating libraries
• How to migrate libraries
- Vet libraries found
‣ Still needed? ex: deprecated functionality,
paragonie/random_compat or PHP 7?
‣ Better library available now?
‣ Best practices?
‣ Built into PHP core? ex: NuSOAP vs PHP Soap

89. Migrating libraries
• How to migrate libraries
- Find the package on packagist
‣ Actively maintained
‣ Popularity
‣ Community acceptance
‣ Documentation

90. Migrating libraries
• How to migrate libraries
- Find the package on packagist
‣ Determine desired version
‣ Review dependencies
‣ Consider alternatives

91. Migrating libraries
• How to migrate libraries
- Review the library source
‣ Unit tests
‣ Coding standards
‣ Time to close open bugs and security issues
‣ Architecturally sound

92. Migrating libraries
• How to migrate libraries
- Steps
‣ Tests
‣ Include the library using composer
‣ Remove old library files from source control
‣ Tests

93. Migrating libraries
• How to migrate libraries
- Steps
‣ Make a pull request
• .gitignore or equivalent ignores /vendor/
• Add changed files, including composer.json and
composer.lock

94. Migrating libraries
• How to migrate libraries
- Steps
‣ Make a pull request
• commit
• push
• create PR

95. Migrating libraries
• How to migrate libraries
- Steps
‣ Code reviews
• Automated tests
• Functional tests
• Peer review

96. Migrating libraries
• How to migrate libraries
- Steps
‣ Raise awareness
• QA team
• Project management
• Release team

97. Migrating libraries

98. Considerations

99. Considerations
• Handling altered libraries
- Understand why
- Use pure versions
- Make PR to fix issues
- Document what is wrong

100. Considerations
• Testing when updating packages
- composer update vendor/package version
- Domino effect with dependencies

101. Considerations
• Deployment
- composer install —no-dev
- From files
‣ Azer Koçulu case of unpublishing 250+ NPM
modules

102. Considerations
• Open discussion

103. Considerations

104. Questions?
• Rate on joind.in
- https://joind.in/talk/774d7

105. Sources
• https://www.theregister.co.uk/2016/03/23/
npm_left_pad_chaos/
• https://getcomposer.org/