Managing dependencies with composer is super easy and fun. This is the second article in my composer series. I assume that you have already installed and configured composer on your development machine. If you here for the first time or newbie in composer world! I recommend you to read the article first Meet the Beautiful Composer and came back here. So now you know composer! Let’s jump in.

Use Composer in Project:

I hope you have your development environment setup ready to start. If not, there is a complete article on my blog PHP Development Environment Setup for OS X dedicated on this topic.

Let’s create a new project called ‘test’ in your site directory and move in immediately.

mkdir test; cd test;

Run this command to initialize the project with composer.

composer init

Composer will ask you some question like package name, description, license and dependencies. If anything seams confusing to you just leave it blank for now, we can change it later. At the end composer will create composer.json file inside your project directory.

The composer.json file looks like:

{

"name": "munna/test",

"description": "playing with composer",

"type": "test",

"license": "MIT",

"authors": [

{

"name": "Munna Khan",

"email": "[email protected]"

}

],

"minimum-stability": "dev",

"require": {}

}

I kept the required object blank. Composer use packagist.org as package repository. Let’s pull some packages from packagist.org. For the test purpose I’m looking for a package named log by psr. There are multiple ways to add dependencies, I’ll show you all.

  1. Search for the package: Just run this command:

composer require

Composer will ask you the package name. type log and press enter. Composer will show you a list of packages, just enter the index of the package and which version you required. In our case the index is ‘0’ and version is ‘1.0’.

composer require

TIPS: Leave the version number black to have the latest version available but giving a number is good practice.

TIPS: You can find available versions in packagist.org.

  1. Direct approach: If you know what package you need then this would be easy for you.

composer require psr/log 1.0

You will see hand full of changes in the project directory. Composer creates a new directory named vendor and a new file composer.lock as well as update the composer.json.

"require": {

"psr/log": "1.0"

}
  1. Manual: You can update the composer.json file manually and run

composer install

Now in the vendor directory there are two directories named composer and psr. Every time we require a new package in our project, composer will create a new directory leveled with the package’s vendor name (like psr).

Required for Dev.:

Sometimes you need some package only for development side and not on the production side. For required packages only for dev machine we can use require-dev object. Add “require-dev” object under the ‘require’ object in composer.json file.

{

"name": "munna/test",

"description": "playing with composer",

"type": "test",

"license": "MIT",

"authors": [

{

"name": "Munna Khan",

"email": "[email protected]"

}

],

"minimum-stability": "dev",

"require": {

"psr/log": "1.0"

},

"require-dev": {

}

}

To install any development dependencies, add package in require-dev block or run

composer require --dev  phpunit/phpunit 5.2

For this time phpunit is the package we want to download only for the development environment. Now the require-dev block looks like.

"require-dev": {

"phpunit/phpunit": "5.2"

}

NOTE: Run ‘composer update’ command every time you update the composer.json file.

Now we can manage our project dependencies.

The Lock File:

When we work on a project and install some packages for the first time, composer updates the composer.lock file with exact version of packages installed. It is important when you work on a team, so everyone on your team running the same version of dependencies. Even if you are a solo developer like me, after few months when you reinstall the application and run composer install you’ll have the same dependencies you had before though some of your packages may have newer version and you don’t have to worry about that. Because you know your project will not effected by the changes.  So it is best practice to include the compose.lock file with the project.

When composer runs the install command, it will look for composer.lock file first. If exist composer will install the exact same version listed (locked) here and ignore what composer.json says.

NOTE: Composer will display a Warning when executing an install command if composer.lock and composer.json are not synchronized.

TIPS: If you are using vision control commit your composer.lock with the project files.

Composer Install vs Composer Update:

There is a huge confusion when should I run composer install and when composer update. You already have the idea by the naming convention. When you create a new project and add some dependencies in composer.json file you run composer install. On the project workflow you require some new dependencies in your project you run composer update.

When you run composer install it will look for composer.lock file and install packages as it says. On the other hand composer update read the composer.json file, update packages and install new packages if require. As simple as this.

NOTE: Both commands will create composer.lock file if not exist.

Conclusion:

Composer offer huge to discuss in a single article. I’ll write few more article about other features available in composer like autoloading and hooks. Thanks for reading my blog.