How To Manage PHP Dependencies Using Composer

Table of Contents

PHP dependency management is crucial for making the most out of your development efforts. It ensures third-party packages or libraries that your project depends on are functioning optimally.

Composer is a popular tool that allows you to practice dependency management in your PHP projects—just like JavaScript (and Node.js) uses npm or Yarn

With the Composer package manager, you can declare the libraries of code that your project requires so that it can manage them for you. You can use it to effectively install, update, and manage your PHP dependencies.

This article talks about how to use Composer to manage dependencies in the PHP programming language.

PHP dependency management with Composer

Composer is a free and open source tool you can use to make managing PHP dependencies easier. As your project becomes bigger, it becomes difficult to track all of its moving parts. 

However, with Composer, you can effectively manage your direct and transitive dependencies (dependencies of dependencies) in PHP and release quality software.

Here are some benefits of using Composer:

  • Allows you to incorporate ready-made packages that assist you to solve common programming hurdles. 
  • Helps you to keep all your packages up-to-date.
  • Conveniently autoloads all your files and classes.
  • Helps you to gain visibility into your dependencies and keep them functional and secure. 

Composer mostly depends on three things to work:

  • composer.json file—declares all the dependencies to install in the project. 
  • composer.lock file—records the specific versions of the installed dependency packages. 
  • Packagist—is a repository that stores public packages installable with Composer. 

How to install composer

Composer is a multi-platform tool you can install on Windows, macOS, and Linux operating systems. It needs a minimum of PHP version 5.3.2 to run. You may notice a few other system requirements as you try setting it up in your preferred environment. 

If you’re a Windows user, you can use the Composer Setup file to install it. You can find the instructions here

If you’re a macOS or Linux user, you can navigate to your project’s directory on the terminal and run the following command:

curl -sS https://getcomposer.org/installer | php

A composer.phar file will then be installed on your local project directory.

You can also install Composer to be accessible from anywhere on your system by running the following command:

mv composer.phar /usr/local/bin/composer

Once you have installed Composer globally, you can use the composer command to access it. 

How to use composer.json file

The composer.json file contains a description of your project’s dependencies and possibly other metadata as well. It’s all you need to begin using Composer in your project.

To follow along in this Composer tutorial, you can create a directory on your system and add a file called composer.json to it.

You can then add the following sample declaration to the file:

{
    “require”:{
      “php”:”>=7.3.0″,
      “swiftmailer/swiftmailer”:”^6.2″
  },
  “require-dev”:{
      “symfony/var-dumper”:”^6.0″,
      “phpunit/phpunit”:”~8.0″
  },
  “autoload”:{
      “psr-4”:{
        “”:”app/”
      }
  },
  “autoload-dev”:{
      “psr-4”:{
        “Tests\\”:”tests/”
      }
  }
}

Let’s describe what’s happening in the above JSON file:

  • The require key specifies the packages your project depends on. The mentioned packages are indispensable for the application’s performance. Note that the key takes an object that maps package names in the vendor/package format (such as swiftmailer/swiftmailer) to version constraints (such as ^6.2). 
  • The require-dev key specifies the packages used for development, and will not be needed in the production environment. 
  • The autoload key specifies the packages to be autoloaded so that they’ll be available in the project. 
  • The autoload-dev key specifies the development packages to be autoloaded. 

How to use update command

To initially install the dependencies already specified in the composer.json file, you can run the update command.

Here is the command to run at the root of your project:

php composer.phar update

If you installed Composer globally, run the following:

composer update

This is what the update command does:

  • Reads the dependencies listed in the composer.json file.
  • Creates the composer.lock file. It then locks the packages to their specific versions in the composer.lock file. If you share the project, the composer.lock file allows everyone in your team to use the exact same dependencies’ versions and avoid inconsistencies. This is the main function of the update command.
  • Implicitly runs the install command to download the dependencies according to their defined version constraints.

How to update dependencies

You can also use the update command to upgrade your project dependencies. This command will also update both the composer.json file and the composer.lock file with the current state of the versions of your project dependencies. 

To universally update all your installed dependencies at once, run the following command:

composer update

If you want to upgrade all packages excluding development dependencies, run the following command:

composer update –no-dev

If you want to perform package-specific updates, run the following command:

composer update vendor1/package1 vendor2/package2

Remember to substitute vendor/package names with the details of the dependencies you intend to update using Composer. 

It’s important to note that Composer follows the semantic versioning notation to define package versions using the major.minor.patch format.

Let’s look at some options you can use in the composer.json file:

  • Specify the exact version constraint. For example, 1.3.0 can be updated to the stated specific version and that version only. 
  • Specify the upper and lower bounds using >, <, >=, and <= operators. For example, >=1.3.0 can be updated to any version above or equal to 1.3.0. 
  • Use a wildcard to specify all the allowed version ranges to update to. For example, 1.3.* can be updated to within >=1.3.0 and <1.4.0.
  • Use a tilde to specify the last digit that can be updated upwards. For example, ~1.3 can be updated to within >=1.3.0 and <2.0.0. Also, ~1.3.2 can be updated to within >=1.3.2 and <1.4.0. 
  • Use a caret to avoid updating to major versions that could introduce breaking changes. For example, ^1.3.2 can be updated to within >=1.3.2 and <2.0.0.

How to use install command

You can run the install command to install all the dependencies listed in the composer.lock file. It uses the exact versions in the composer.lock file to ensure that everyone working on your project uses the same versions. The install command does not update any packages. 

Here is the command to run at the root of your project:

php composer.phar install

If you installed Composer globally, run the following:

composer install

If you want to install all packages excluding development dependencies, run the following command:

composer install –no-dev

This is what the install command does:

  • If composer.lock file already exists, it resolves and installs dependencies from the file. 
  • If composer.lock file does not exist, it runs the update command to create it. It then resolves and installs the dependencies listed in the composer.lock file.

So, what is the difference between composer update and composer install commands?

The composer update command is mainly used during the development stage to upgrade dependencies based on the version constraints defined in the composer.json file. 

On the other hand, the composer install command is mainly used during the deployment stage when the application needs to be set up in a testing or production environment. It ensures the same dependencies specified in the composer.lock file, which was generated by running the update command, are used in deployment.

How to use require command

You can run the require command to install dependencies just by specifying the package details on the command line.

Here is the command to run at the root of your project:

php composer.phar require vendor/package

If you installed Composer globally, run the following:

composer require vendor/package

You can also specify to install a specific package version using the require command. Here is an example:

composer require vendor/package:1.3

This is what the require command does:

  • Adds new dependencies to the composer.json file. If the file does not exist, the command will create it on the fly. It’s like a shortcut to creating the composer.json file.
  • Downloads the specified package to the project. 
  • Updates the composer.lock file as well. 

How to uninstall dependencies

To uninstall a PHP dependency using Composer, delete its details from the require or require-dev section of the composer.json file and run the following command:

composer update

You can also use the remove command to uninstall a package. It will remove the stated packages from the composer.json file and uninstall them. 

Here is how to run it:

composer remove vendor1/package1 vendor2/package2

How to set up autoloading

If you have installed libraries that specify autoloading information, you can use the helpful autoloading feature to make development easier. 

To autoload all the dependencies, just include the following in your code:

require __DIR__ . ‘/vendor/autoload.php’;

Conclusion

That’s it!

We hope that this tutorial has covered most of the common scenarios for managing PHP dependencies using Composer. Remember that you can always dig into the Composer documentation to discover other ways of using the handy tool. 

Of course, manually practicing dependency management, especially updating dependencies, is hectic and time-consuming. Trying to manually keep all your dependencies up-to-date is tedious, especially if your project relies on packages that release updates frequently.  

With Mend Renovate, you can automate dependency updates in your PHP projects and increase your development productivity. It’s the tool you need to save time, reduce security risks, and keep your applications performant. 

Happy PHP coding!

Recent resources

What is LDAP Injection? Types, Examples and How to Prevent It

Learn what LDAP Injection is, its types, examples, and how to prevent it. Secure your applications against LDAP attacks.

Read more

How to Use Dependency Injection in Java: Tutorial with Examples

Learn how to use Dependency Injection in Java with this comprehensive tutorial. Discover its benefits, types, and practical examples.

Read more

Idempotency: The Microservices Architect’s Shield Against Chaos

Discover the power of idempotency in microservices architecture. Learn how to maintain data consistency and predictability.

Read more