Composer: good practices

Composer: good practices

Kuba Werłos


intive

Semantic Versioning


MAJOR.MINOR.PATCH

  • MAJOR — incompatible (breaking) API changes
  • MINOR — add functionality in a backwards-compatible manner
  • PATCH — backwards compatible bug fixes



Semantic Versioning

Dev:
Fixes:
⟶ 0.1.0
⟶ 1.0.1
Fixes:
Fixes:
⟶ 0.1.1
⟶ 1.0.2
Breaking changes:
New features:
⟶ 0.2.0
⟶ 1.1.0
First stable:
Breaking changes:
⟶ 1.0.0
⟶ 2.0.0

Releasing package





Version Constraints



any


*

Version Constraints



exact match


1.0.0
dev-master

Version Constraints



wildcard range


1.0.*
2.*

Version Constraints



hyphen range


1.0 - 2.0
(>=1.0.0 <2.1)

Version Constraints



unbounded range


>=2.0

Version Constraints



operators


(space)

||

Version Constraints



Tilde Version Range


~1.2
(>=1.2.0 <2.0.0)

Version Constraints



Tilde Version Range


~1.2.3
(>=1.2.3 <1.3.0)

Version Constraints



Caret Version Range


^1.2.3
(>=1.2.3 <2.0.0)

Version Constraints



~1.2(>=1.2.0 <2.0.0)
~1.2.3(>=1.2.3 <1.3.0)
^1.2(>=1.2.0 <2.0.0)
^1.2.3(>=1.2.3 <2.0.0)

Version Constraints



libraries

PHP

PHP extensions



Version Constraints


composer require acme/package


{
"require": {
"acme/package": "^1.2"
}
}

Overly strict requirements

/* composer.json */
{
"require": {
"cool/alice": "~1.3",
"lazy/bob": "~1.2"
}
}
/* dependencies */
{
"name": "cool/alice",
"require": {
"monolog/monolog": "~1.6"
}
}
{
"name": "lazy/bob",
"require": {
"monolog/monolog": "1.3.*"
}
}

Check your minimum dependencies



composer update --prefer-lowest

Stabilities

dev ⟶ alpha ⟶ beta ⟶ RC ⟶ stable


Tags
2.0.2 ⟶ stable
2.0.0-alpha2 ⟶ alpha


Branches
2.0 ⟶ 2.0.x-dev (dev)
master ⟶ dev-master (dev)

Stabilities

allowing various stabilities


{
"require": {
"foo/bar": "^1.0@dev",
"foo/baz": "^1.0@alpha"
},
"minimum-stability": "beta"
}

Minimum stability


Don't set minimum-stability property,

it defaults to stable.


Use stability flags,

… if you REALLY have to.


composer.lock


composer.lock


If does not exist composer install and composer update do the same.

If exists composer install works much faster.


composer.lock in vendor's dependencies will not have any effect.


composer.lock



commit it to git in applications


put it into .gitignore in libraries

Specify the production PHP version


{
"config": {
"platform": {
"php": "7.3"
}
}
}

Optimize class map

{
"autoload": {
"psr-4": {
"Acme\\": "src/"
}
}
}
  • composer dump-autoload --optimize
  • composer dump-autoload --classmap-authoritative
{
"optimize-autoloader": true,
"classmap-authoritative": true
}

Commands


{
"scripts": {
"post-install-cmd": [
"MyVendor\\MyClass::warmCache"
],
"analyse": [
"php-cs-fixer fix --dry-run -v",
"phpstan analyse"
],
"test": [
"phpdbg -qrr vendor/bin/phpunit"
],
"verify": [
"@analyse",
"@test"
]
}
}

Plugins





Features

depends / prohibits (why / why-not)

$ composer prohibits php:8
doctrine/cache v1.6.0 requires php (~5.5|~7.0)
doctrine/common v2.6.1 requires php (~5.5|~7.0)
doctrine/instantiator 1.0.5 requires php (>=5.3,<8.0-DEV)

outdated

$ composer outdated
doctrine/common 2.13.3 3.0.2 PHP Doctrine Common project is a library…
doctrine/dbal 2.12.1 3.0.0 Powerful PHP database abstraction layer…

Experiencing a strange behavior?


  • composer self-update
  • composer diagnose
  • composer update -v
  • rm composer.lock
    rm -rf vendor
    composer update

Automating


composer validate --strict --with-dependencies


composer normalize --dry-run


sensiolabs/security-checker

symfony check:security

Composer 2.0


Performance improvements

Architectural changes and determinism

Error reporting improvements

Backwards compatibility breaks?

Useful links






Questions?

Thank you


kubawerlos

https://kubawerlos.github.io/slides

SymfonyLive Online Polish Edition 2021