Composer Guide for Beginners

Composer is a dependency manager for PHP. It lets you declare the libraries your project needs and installs them automatically.
This guide covers installation, key commands, and essential concepts.

composer.json – Defines required packages and version constraints
composer.lock – Locks exact versions + checksums for reproducible installs across all machines (dev, staging, production)

1. Installing Composer: Local vs Global

Approach	Installation Command	Path to Composer	Advantages	Disadvantages
Global	`php -r «copy('...', 'composer-setup.php');"` then `php composer-setup.php --install-dir=/usr/local/bin --filename=composer`	`composer` (anywhere in terminal)	– Use `composer` directly (no `php` prefix). – One installation for all projects.<br>– Easier to remember.	– May require `sudo` on Linux/Mac.<br>– Version fixed system-wide (unless you manage multiple versions).
Local (per project)	Download `composer.phar` into project folder: `php -r «copy('...', 'composer.phar');"`	`php composer.phar` (must be in project root)	– No `sudo` needed. – Different projects can use different Composer versions. – Portable (just copy the phar).	– Must type `php composer.phar` every time. – Need to download again for each project (or copy).

Path Commands

Global: composer install
Local: php composer.phar install

Recommendation: Use global for most cases. Use local if you need to pin a specific Composer version or work on a shared server without root.

2. Key Commands Explained

`php composer.phar install --no-dev --optimize-autoloader`

When to use: When deploying your application to production.
Why:

install reads composer.lock (if present) and installs exact versions – ensures consistency.
--no-dev skips require-dev dependencies (e.g., testing tools) – reduces bloat and security risks in production.
--optimize-autoloader generates a classmap for faster autoloading – improves performance.

How it works:

Composer looks at composer.lock → installs listed packages.
Ignores dev dependencies.
Creates an optimized vendor/composer/autoload_classmap.php.

Example command:

php composer.phar install --no-dev --optimize-autoloader

`composer update`

When to use: During development, when you want to update dependencies to newer versions.
Why:

update ignores the lock file and checks composer.json for the latest versions allowed by version constraints.
After update, it rewrites composer.lock with the new exact versions.

How it works:

Reads composer.json.
Fetches latest compatible versions from repositories.
Installs them.
Updates composer.lock.

Example command:

composer update               # updates all dependencies
composer update phpmailer/phpmailer  # update only one package

Important: Never run composer update on a production server – it may introduce breaking changes. Use composer install with the lock file.

3. Essential Concepts You Must Know

composer.json – Declares your project’s dependencies and their version constraints (e.g., "^5.0" means >=5.0, <6.0).
composer.lock – Records the exact versions installed. Always commit it to version control so everyone (and production) uses the same versions.
require vs require-dev – require for runtime dependencies (e.g., framework), require-dev for development tools (e.g., PHPUnit).
Autoloading – Composer generates a vendor/autoload.php file. Include it once in your entry point to load all classes automatically:

require __DIR__ . '/vendor/autoload.php';

composer.lock and install vs update – Use install to reproduce exact versions; use update to change them.

Did We Miss Anything?

A complete beginner’s grasp of Composer also requires:

Understanding version constraints (^, ~, *, >=, etc.) – without this, composer.json is confusing.
Knowing how to add a package: composer require vendor/package.
Removing a package: composer remove vendor/package.
The vendor directory – is not committed to version control (add vendor/ to .gitignore).
Updating Composer itself: composer self-update.

With these basics, you’ll be able to manage dependencies like a pro.

Examples

In project folder

install Composer

curl -sS https://getcomposer.org/installer | php

php composer.phar install --no-dev --optimize-autoloader

Installing dependencies from lock file
Verifying lock file contents can be installed on current platform.
Package operations: 9 installs, 0 updates, 0 removals
  - Installing enshrined/svg-sanitize (0.22.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.37.0): Extracting archive
  - Installing hashids/hashids (5.0.2): Extracting archive
  - Installing jblond/php-diff (2.5.0): Extracting archive
  - Installing psr/simple-cache (3.0.0): Extracting archive
  - Installing phiki/phiki (v2.2.0): Extracting archive
  - Installing phpmailer/phpmailer (v7.1.1): Extracting archive
  - Installing phpthumb/phpthumb (2.3.3): Extracting archive
  - Installing simplepie/simplepie (1.9.0): Extracting archive
Generating optimized autoload files

composer update

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 2 updates, 0 removals
  - Upgrading hashids/hashids (4.1.0 => 5.0.2)
  - Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 2 updates, 0 removals
  - Downloading hashids/hashids (5.0.2)
  - Downloading phpmailer/phpmailer (v7.1.1)
  - Upgrading hashids/hashids (4.1.0 => 5.0.2): Extracting archive
  - Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1): Extracting archive
Generating optimized autoload files
No security vulnerability advisories found.

https://getcomposer.org/doc/ar[...]g-merge-conflicts.md^[link1]

Links

[link1] https://getcomposer.org/doc/articles/resolving-merge-conflicts.md