Post on 06-May-2015
description
DEPENDENCY MANAGEMENT
WITH COMPOSER
Sharing is Caring
Who Am I?
Adam Englanderadamenglander@yahoo.com@adam_englanderhttp://adamknowsstuff.comhttps://github.com/derptest
• Selling Source Direct Lead Developer
• Coupla CTO
• Founder/Organizer of Las Vegas PHP Users Group
• Co-Organizer of Las Vegas Developers Users Group
• PHP Machinist Maintainer
• #VegasTech Enthusiast
What is Dependency Management?
Dependency management for this context is best described as the resolution and installation of library dependencies for a software project. This includes resolving potential conflicts between libraries and providing the dependencies for all libraries on the dependency tree.
Simple Example of Dependencies My Project
PHP >= 5.5.0Monolog >= 1.3.0, < 2.0
○ PHP >= 5.3.0○ PSR Log >= 1.0, < 2.0
The before time…the long, long ago…
Sharing used to be hard
Legacy Solutions
PEAR PECL Version Control System Sub-repositories
(SVN, Git, Mercurial) Directly adding dependencies to your
codebase Custom dependency manager Write monolithic code bases
PEAR – PHP Extension and Application Library Multiple
Repositories Private Repositories Sub-dependency
version resolution Hundreds of libraries
One package install per server
No common format for defining project dependencies
Not extensible Each server had to
be aware of repositories
Publishing required
PECL– PHP Extension Community Library Highly trusted
libraries Hundreds of libraries Sub-dependency
version resolution
One package install per server
No common format for defining project dependencies
No private repos Each server had to
be aware of repositories
Publishing required
VCS Sub-Repositories Project based
dependencies Private Repositories Potentially millions
of libraries
Normally requires using the external library’s VCS
No deep dependency management
Need to monitor patches and updates to external libraries
Directly adding dependencies to your codebase Project based
dependencies Private Repositories Potentially millions
of libraries
Project codebases have dependency code making them large and unwieldy
You have to manually resolve all dependencies
You have to test interoperability of all dependent libraries
Custom Repository Manager
If you can dream it, you can do it.
Difficult to write You must implement
every feature and fix every bug
Monolithic Code Base No need for
dependency management
Private Repositories
Harder to manage Harder to test Re-writing the same
code in multiple projects.
Maintaining the the same bug fixes in multiple projects.
No leveraging of community code
Composer Provides a Multi-Tiered Dependency Management and Project Delivery Platform
DRY – Don’t repeat yourself or anyone else for that matter.
The Platform
Composer – The fully self-contained and completely extensible client
Satis – The app for generating static servable repository data.
Packagist – The server for managing and maintaining dynamic repository data.
Packagist.org – The public Packagist server for open source libraries and projects. 21K+ packages.
ComposerThe alpha and the omega
Composer Overview
Command line client application for:Searching repositories for packagesInstalling project skeletonsExecuting install/update hooksManaging project dependenciesManaging project metadata
Base code for servers The only product on the platform
necessary for managing dependencies in a project
Installation
There Download the composer.phar from
http://getcomposer.org/download/ Use the installer script from
http://getcomposer.org/download/ Install from your *nix distro package
manager (yum/apt/pkgsrc/homebrew)
Search the repositoriesvagrant:/$ composer search monolog monolog/monolog Sends your logs to files, sockets, inboxes, databases and various web servicessymfony/monolog-bundle Symfony MonologBundlesymfony/monolog-bridge Symfony Monolog Bridgeflynsarmy/slim-monolog Monolog logging support Slim Frameworklogentries/logentries-monolog-handler A handler for Monolog that sends messages to Logentries.com.kamisama/monolog-init Very basic and light Dependency Injector Container for Monologddtraceweb/monolog-parser A parser for monolog log entrieslexik/monolog-browser-bundle This Symfony2 bundle provides a Doctrine DBAL handler for Monolog and a web UI to display log entriesgraze/monolog-extensions Monolog extensions for use within Grazebazo/nette-monolog-extension Nette monolog compiler extensionfancyguy/wordpress-monolog WordPress Monolog Integrationkmelia/monolog-stdout-handler A handler for Monolog that sends messages to stdout (with color).support
Installing Project Skeletonsvagrant:/$ composer create-project laravel/laravel --prefer-dist
Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100%
Created project in /tmp/laravelLoading composer repositories with package informationInstalling dependencies (including require-dev) - Installing filp/whoops (1.0.10) Downloading: 100%
- Installing psr/log (dev-master 65f363a) Downloading: 100% …
Executing install/update hooks
vagrant:/$ composer create-project laravel/laravel --prefer-dist
Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100% …Writing lock fileGenerating autoload filesGenerating optimized class loaderApplication key [TzvXWZSq0MTEuqAEhzO0Vsq3yMbJZHP0] set successfully.
How to Setup Install/Update Hooks{
"scripts": {"post-install-cmd": [
"php artisan optimize"],"post-update-cmd": [
"php artisan clear-compiled","php artisan optimize"
],"post-create-project-cmd": [
"php artisan key:generate"]
}}
Managing Project Dependencies:Overview
A project can be initialized with the init command
Project dependencies can be configured by the command line or directly in the composer.json file.
The validate command will validate the composer.json file.
The composer.lock file will lock the revision/change number of the dependencies.
Managing Project Dependencies:Overview (continued) The install command will install locked
versions if composer.lock is present or act like the update command if not.
The update command will update the library versions and the composer.lock file.
Running the Composer binary without any commands will list the available commands.
Running the help command will provide help
Managing Project Metadata:Overview
The composer specification allows for the following metadata:Description – package descriptionType – I.E. project or libraryKeywords – Aid in searching repositoriesHomepage – Project homepageLicense – License type for the packageAuthors – Information about the authorsSupport – Information for obtaining support
regarding the library
Managing Project Metadata:Example{ "name": "composer/composer", "description": "Dependency Manager", "keywords": ["package", "dependency", "autoload"], "homepage": "http://getcomposer.org/", "type": "library", "license": "MIT", "authors": [ { "name": "Nils Adermann", "email": "naderman@naderman.de", "homepage": "http://www.naderman.de" } ], "support": { "irc": "irc://irc.freenode.org/composer", "issues": "https://github.com/composer/composer/issues" }}
Managing Dependency Conflicts
You can manually resolve conflicts between in dependencies when:Changing the version of one of the
dependent packages that causes the conflict is not an option
The version you choose will not negatively effect either dependent package.
"monolog/monolog": "1.7.0 as 1.6.0"
Applying Forks as Dependencies
Alternate repositories can be used to provide versions with aliases
One of the following must be true for Composer to use an alternate repository:The repository specifying the alias is listed
before the repository containing original package in the composer.json file.
The repository containing original package does not have a version specified by the alias (risky)
Applying Forks as Dependencies: Example{ "repositories": [ { "type": "vcs", "url": "https://github.com/my/monolog" } ], "require": { "symfony/monolog-bundle": "2.0", "monolog/monolog": "dev-myfix as 1.0.x-dev” }}
Managing Repositories Repositories hold package information in multiple
types:Packagist.org – Default repositoryComposer (Packagist/Satis/Manual)VCS (git/mercurial/subversion)PEAR – Using PEAR channelsArtifact – Pre-built artifactsPackage – Using libraries that
All repositories except “Package” require a composer.json file.
Repository additions must be on the root package.
Packagist.org Repository Will be the final repository searched Enabled by default but can be disabled:
{ "repositories": [ { "packagist": false } ]}
Composer Repository
Provides a packages.json file. Defined by URL. Path contains file. Example inclusion:{ "repositories": [ { "type": "composer", "url": http://packages.example.com } ]}
VCS Repository
Composer client will scan VCS repositories to find branches and tags with a composer.json file in the root.
Package name from the composer.json file.
Version is from the branch/tag name. Branch versions will be prefixed with dev-.
Pear Repository Composer access to existing PEAR channels.
{ repositories: [ { "type": "pear", "url": “pear.phpunit.de”, “vendor-alias”: “phpunit” } ]} Access repository packages via channel or alias
“pear.phpunit.de/PHPUnit”: “>=3.7.0” “phpunit/PHPUnit”: “>=3.7.0”
Artifact Repository Scans directory of zip files with composer.json files in
the root of the zip. Uses package and version in composer.json file.
{ "repositories": [ { "type": "artifact", "url": "path/to/zips/dir” } ]}
Package Repository
Defines the package and versions in the composer.json file.
Uses the same format as packages.json file from Composer repository.
Allows for providing shared code that is not available by any of the other means.
Package Repository Example{“packages”: [ { "type": "package", "package": { "name": ”smarty/smarty", "version": ”3.1.7", "dist": { "url": "http://www.smarty.net/files/Smarty-3.1.7.zip", "type": "zip” } } }]}
SatisSimple repository management for small organizations
Satis: Easy as Pie
Maintain a JSON based meta-data file with the list of repositories to scour.
Execute the command and it will provide:Composer compliant packages.json fileHTML file with instructions on adding the
repository to a composer.json file as well as a filterable list.
Satis: Repository Cache If the archive section is configured in the Satis
meta-data file, Satis will scan all repositories defined and create local archives
If options require-dependencies is set to true, it will also cache dependencies. This only works on known packages in the defined repositories.
Here’s a link to an excellent article on how to affectively cache packagist.org: http://tech.m6web.fr/composer-installation-without-github.html
Satis Metadata Example{ "name": "My Repository", "homepage": "http://satis.my.org", "repositories": [ { "type": "vcs", "url": "http://github.com/my/repo" } ], "require-all": true}
Satis Conclusions Simple to use Easy to deploy Full PHP
implementation Uses static files for
hosting Can cache
repositories from VCS and Packagist
Requires management of a config file
Becomes unwieldy for large numbers of packages
Limited search and package information
Requires shared disk for HA
PackagistThe enterprise repository manager
Packagist…and a bag of chips
Web based package management Optimized search via Solr Allows for high availability via MySQL API for remotely triggering package
scans Package statistics
Packagist Conclusions Web based
management interface
Solr based search HA capable Virtually unlimited
package management
No archives for non Github/BitBucket VCS repositories
Complex architecture
Requires MySQL and Solr knowledge and management
Only VCS packages
Packagist.orgYour one stop shop for open source projects and libraries
One Repository to Rule Them All
21,762 packages (1/7/2014) Default package manager for Composer Free accounts to register/maintain
packages Contains nearly every widely used open
source PHP package Just use it!
Registering a package Get a user Log in Click “Submit a Package” Enter the URL for your public repository Click “Check” Optionally but suggested: Register a
commit hook to scan for updates on commit.Github has a pre-configured hookBitBucket can use a POST hook