DEPENDENCY MANAGEMENT

WITH COMPOSER

Sharing is Caring

Who Am I?

Adam Englanderadamenglander@yahoo.com@adam_englanderhttp://adamknowsstuff.comhttps://github.com/derptest

• Selling Source Direct Lead Developer

• Coupla CTO

• Founder/Organizer of Las Vegas PHP Users Group

• Co-Organizer of Las Vegas Developers Users Group

• PHP Machinist Maintainer

• #VegasTech Enthusiast

What is Dependency Management?

Dependency management for this context is best described as the resolution and installation of library dependencies for a software project. This includes resolving potential conflicts between libraries and providing the dependencies for all libraries on the dependency tree.

Simple Example of Dependencies My Project

PHP >= 5.5.0Monolog >= 1.3.0, < 2.0

○ PHP >= 5.3.0○ PSR Log >= 1.0, < 2.0

The before time…the long, long ago…

Sharing used to be hard

Legacy Solutions

PEAR PECL Version Control System Sub-repositories

(SVN, Git, Mercurial) Directly adding dependencies to your

codebase Custom dependency manager Write monolithic code bases

PEAR – PHP Extension and Application Library Multiple

Repositories Private Repositories Sub-dependency

version resolution Hundreds of libraries

One package install per server

No common format for defining project dependencies

Not extensible Each server had to

be aware of repositories

Publishing required

PECL– PHP Extension Community Library Highly trusted

libraries Hundreds of libraries Sub-dependency

version resolution

One package install per server

No common format for defining project dependencies

No private repos Each server had to

be aware of repositories

Publishing required

VCS Sub-Repositories Project based

dependencies Private Repositories Potentially millions

of libraries

Normally requires using the external library’s VCS

No deep dependency management

Need to monitor patches and updates to external libraries

Directly adding dependencies to your codebase Project based

dependencies Private Repositories Potentially millions

of libraries

Project codebases have dependency code making them large and unwieldy

You have to manually resolve all dependencies

You have to test interoperability of all dependent libraries

Custom Repository Manager

If you can dream it, you can do it.

Difficult to write You must implement

every feature and fix every bug

Monolithic Code Base No need for

dependency management

Private Repositories

Harder to manage Harder to test Re-writing the same

code in multiple projects.

Maintaining the the same bug fixes in multiple projects.

No leveraging of community code

Composer Provides a Multi-Tiered Dependency Management and Project Delivery Platform

DRY – Don’t repeat yourself or anyone else for that matter.

The Platform

Composer – The fully self-contained and completely extensible client

Satis – The app for generating static servable repository data.

Packagist – The server for managing and maintaining dynamic repository data.

Packagist.org – The public Packagist server for open source libraries and projects. 21K+ packages.

ComposerThe alpha and the omega

Composer Overview

Command line client application for:Searching repositories for packagesInstalling project skeletonsExecuting install/update hooksManaging project dependenciesManaging project metadata

Base code for servers The only product on the platform

necessary for managing dependencies in a project

Installation

There Download the composer.phar from

http://getcomposer.org/download/ Use the installer script from

http://getcomposer.org/download/ Install from your *nix distro package

manager (yum/apt/pkgsrc/homebrew)

Search the repositoriesvagrant:/$ composer search monolog monolog/monolog Sends your logs to files, sockets, inboxes, databases and various web servicessymfony/monolog-bundle Symfony MonologBundlesymfony/monolog-bridge Symfony Monolog Bridgeflynsarmy/slim-monolog Monolog logging support Slim Frameworklogentries/logentries-monolog-handler A handler for Monolog that sends messages to Logentries.com.kamisama/monolog-init Very basic and light Dependency Injector Container for Monologddtraceweb/monolog-parser A parser for monolog log entrieslexik/monolog-browser-bundle This Symfony2 bundle provides a Doctrine DBAL handler for Monolog and a web UI to display log entriesgraze/monolog-extensions Monolog extensions for use within Grazebazo/nette-monolog-extension Nette monolog compiler extensionfancyguy/wordpress-monolog WordPress Monolog Integrationkmelia/monolog-stdout-handler A handler for Monolog that sends messages to stdout (with color).support

Installing Project Skeletonsvagrant:/$ composer create-project laravel/laravel --prefer-dist

Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100%

Created project in /tmp/laravelLoading composer repositories with package informationInstalling dependencies (including require-dev) - Installing filp/whoops (1.0.10) Downloading: 100%

- Installing psr/log (dev-master 65f363a) Downloading: 100% …

Executing install/update hooks

vagrant:/$ composer create-project laravel/laravel --prefer-dist

Installing laravel/laravel (v4.1.0) - Installing laravel/laravel (v4.1.0) Downloading: 100% …Writing lock fileGenerating autoload filesGenerating optimized class loaderApplication key [TzvXWZSq0MTEuqAEhzO0Vsq3yMbJZHP0] set successfully.

How to Setup Install/Update Hooks{

"scripts": {"post-install-cmd": [

"php artisan optimize"],"post-update-cmd": [

"php artisan clear-compiled","php artisan optimize"

],"post-create-project-cmd": [

"php artisan key:generate"]

}}

Managing Project Dependencies:Overview

A project can be initialized with the init command

Project dependencies can be configured by the command line or directly in the composer.json file.

The validate command will validate the composer.json file.

The composer.lock file will lock the revision/change number of the dependencies.

Managing Project Dependencies:Overview (continued) The install command will install locked

versions if composer.lock is present or act like the update command if not.

The update command will update the library versions and the composer.lock file.

Running the Composer binary without any commands will list the available commands.

Running the help command will provide help

Managing Project Metadata:Overview

The composer specification allows for the following metadata:Description – package descriptionType – I.E. project or libraryKeywords – Aid in searching repositoriesHomepage – Project homepageLicense – License type for the packageAuthors – Information about the authorsSupport – Information for obtaining support

regarding the library

Managing Project Metadata:Example{ "name": "composer/composer", "description": "Dependency Manager", "keywords": ["package", "dependency", "autoload"], "homepage": "http://getcomposer.org/", "type": "library", "license": "MIT", "authors": [ { "name": "Nils Adermann", "email": "naderman@naderman.de", "homepage": "http://www.naderman.de" } ], "support": { "irc": "irc://irc.freenode.org/composer", "issues": "https://github.com/composer/composer/issues" }}

Managing Dependency Conflicts

You can manually resolve conflicts between in dependencies when:Changing the version of one of the

dependent packages that causes the conflict is not an option

The version you choose will not negatively effect either dependent package.

"monolog/monolog": "1.7.0 as 1.6.0"

Applying Forks as Dependencies

Alternate repositories can be used to provide versions with aliases

One of the following must be true for Composer to use an alternate repository:The repository specifying the alias is listed

before the repository containing original package in the composer.json file.

The repository containing original package does not have a version specified by the alias (risky)

Applying Forks as Dependencies: Example{ "repositories": [ { "type": "vcs", "url": "https://github.com/my/monolog" } ], "require": { "symfony/monolog-bundle": "2.0", "monolog/monolog": "dev-myfix as 1.0.x-dev” }}

Managing Repositories Repositories hold package information in multiple

types:Packagist.org – Default repositoryComposer (Packagist/Satis/Manual)VCS (git/mercurial/subversion)PEAR – Using PEAR channelsArtifact – Pre-built artifactsPackage – Using libraries that

All repositories except “Package” require a composer.json file.

Repository additions must be on the root package.

Packagist.org Repository Will be the final repository searched Enabled by default but can be disabled:

{ "repositories": [ { "packagist": false } ]}

Composer Repository

Provides a packages.json file. Defined by URL. Path contains file. Example inclusion:{ "repositories": [ { "type": "composer", "url": http://packages.example.com } ]}

VCS Repository

Composer client will scan VCS repositories to find branches and tags with a composer.json file in the root.

Package name from the composer.json file.

Version is from the branch/tag name. Branch versions will be prefixed with dev-.

Pear Repository Composer access to existing PEAR channels.

{ repositories: [ { "type": "pear", "url": “pear.phpunit.de”, “vendor-alias”: “phpunit” } ]} Access repository packages via channel or alias

“pear.phpunit.de/PHPUnit”: “>=3.7.0” “phpunit/PHPUnit”: “>=3.7.0”

Artifact Repository Scans directory of zip files with composer.json files in

the root of the zip. Uses package and version in composer.json file.

{ "repositories": [ { "type": "artifact", "url": "path/to/zips/dir” } ]}

Package Repository

Defines the package and versions in the composer.json file.

Uses the same format as packages.json file from Composer repository.

Allows for providing shared code that is not available by any of the other means.

Package Repository Example{“packages”: [ { "type": "package", "package": { "name": ”smarty/smarty", "version": ”3.1.7", "dist": { "url": "http://www.smarty.net/files/Smarty-3.1.7.zip", "type": "zip” } } }]}

SatisSimple repository management for small organizations

Satis: Easy as Pie

Maintain a JSON based meta-data file with the list of repositories to scour.

Execute the command and it will provide:Composer compliant packages.json fileHTML file with instructions on adding the

repository to a composer.json file as well as a filterable list.

Satis: Repository Cache If the archive section is configured in the Satis

meta-data file, Satis will scan all repositories defined and create local archives

If options require-dependencies is set to true, it will also cache dependencies. This only works on known packages in the defined repositories.

Here’s a link to an excellent article on how to affectively cache packagist.org: http://tech.m6web.fr/composer-installation-without-github.html

Satis Metadata Example{ "name": "My Repository", "homepage": "http://satis.my.org", "repositories": [ { "type": "vcs", "url": "http://github.com/my/repo" } ], "require-all": true}

Satis Conclusions Simple to use Easy to deploy Full PHP

implementation Uses static files for

hosting Can cache

repositories from VCS and Packagist

Requires management of a config file

Becomes unwieldy for large numbers of packages

Limited search and package information

Requires shared disk for HA

PackagistThe enterprise repository manager

Packagist…and a bag of chips

Web based package management Optimized search via Solr Allows for high availability via MySQL API for remotely triggering package

scans Package statistics

Packagist Conclusions Web based

management interface

Solr based search HA capable Virtually unlimited

package management

No archives for non Github/BitBucket VCS repositories

Complex architecture

Requires MySQL and Solr knowledge and management

Only VCS packages

Packagist.orgYour one stop shop for open source projects and libraries

One Repository to Rule Them All

21,762 packages (1/7/2014) Default package manager for Composer Free accounts to register/maintain

packages Contains nearly every widely used open

source PHP package Just use it!

Registering a package Get a user Log in Click “Submit a Package” Enter the URL for your public repository Click “Check” Optionally but suggested: Register a

commit hook to scan for updates on commit.Github has a pre-configured hookBitBucket can use a POST hook