Composer for package management
The Book Depository • 10th May 2013.
Alister Bulman
self::about()
self::current()
Scaling PHP-based systems, with related technologies.
Creatively lazy. I don't want to have to reinvent the wheel.
I use someone else's wheel whenever I possibly can.
self::prev()
Programming PHP since 1999, PHP v3, (>12 years ago). Previously in
everything from a ZX81, BBC/Electron, 6502 to 8086 Assembler, Pascal and C/C++
before PHP
Programming since 198-cough
PHP Dependancy hell
- Pear
- phpclasses.org
- lots of copy and pasted code
Either many copies, scattered around, or just one single one per system.
Hard to update, annoying to keep in sync.
Impossible if you need different versions in different sites.
Code Reuse in the PHP Ecosystem
- PHP had a very poor level of reuse
- None at all between the major frameworks such as Zend/Symfony/Cake/Drupal
- Common Standards kicked off a huge mindset change
- PSR-0, Autoloading
- Why ?
- Allows to break down code into small, easily reused libraries
- Still have to copy the code into the project
- and then setup the autoloading namespace
- And then came Composer...
Hang on to your hats
Composer live demo
- pull in a UUID library ("rhumsaa/uuid": "2.1.1")
- setup the autoloader, automatically
- other people can install the same version, every time
Here's the basics
Composer.json file
"require": {
"zendframework/zendframework1": "1.12.3",
"rhumsaa/uuid": "2.1.*",
"thebookdepository/php-search": "dev-master"
},
Breaking down the parts:
- vendor prefix zendframework / rhumsaa & thebookdepository
- Project name - zf1, uuid & php-search
- Versions, wildcards or the bleeding edge
There are over 10,000 libraries available on http://packagist.org
composer.lock file
- List of packages, versions and also licences
- if available,
composer install
will only use the .lock versions
- composer.lock is committed into version control
- Everyone works with exactly the same dependency versions
- When deploying, all machines run exactly the same dependency versions
- Users will never get dependency versions you did not test with
- For an Upgrade, check the library based on a wildcard.* or dev-BRANCH versions listed in .json
Autoloading
{
"autoload": {
"psr-0": {
"Entity": "common/lib/",
"ZFDebug": "common/lib/",
"BD": "lib/",
}
}
Using it:
{
<?php
require 'vendor/autoload.php';
$s = new BD_ShortUrl(...);
?>
Optimised loaders can be generated.
Testability
- Pulling in a local PHPunit, and other tools
- creates a composer/bin/phpunit, et al
- Later: Local coding standards
- you can use on your dev machines, and for CI
"require-dev": {
"phpunit/phpunit": "~3.7.10",
"squizlabs/php_codesniffer": "*",
"mockery/mockery": "0.8.0"
},
The potential problems
- Can't fetch the external code
- - proxy problems to the outside world from dev boxes (run diag)
- Larger 'vendor' directories
- - its designed to be just-in-time delivery of the code, from cache
- Complex composer configs with our own small library repositories
- Vendoring 3rd party libraries for fast access, and security checks
- - Satis,
Package Repository Generator
- btw, thanks to Chris for simplifying the common module (symlink)
in the main BD repo
In Summary
- Easy code reuse
- From small (potentially) well-tested libraries
- Well supported by libraries
- Easy, consistent, build process (already supported with the CI server)
- Fast autoloader scripts, that 'just work'
- Easily used, one .json file in a repo enables its use in Composer
- Versioned individually by Git Tags or Branches, or even specific SHA1s
- A 'composer install' will use exactly the version you tested with
Composer introduction talk
Other slidesdecks
http://www.slideshare.net/naderman/composer-php-usergroup-karlsruhe
http://www.slideshare.net/loalf/shifting-gears-with-composer
http://www.slideshare.net/chebba/composer-package-management-for-php-silver-bullet
http://www.slideshare.net/zfconf/zfconf-2012-dependency-management-php-zend-framework-2
http://www.slideshare.net/tcorrigan1/composer-14745871
The Wonderful World of Composer, video from KnpUniversity
http://www.youtube.com/watch?v=QOldVDVYnAE (14 minutes)
http://nelm.io/blog/2011/12/composer-part-1-what-why/
http://nelm.io/blog/2011/12/composer-part-2-impact/
http://moquet.net/blog/5-features-about-composer-php/
http://blog.dubture.com/2013/04/composer-is-now-first-class-eclipse.html
http://blog.fortrabbit.com/handle-your-dependencies-with-php-composer/
Questions?
Alister Bulman
... and elsewhere, just search for me - I'm pretty unique