Composer is a dependency manager for PHP. It lets you declare the libraries your project needs and installs them automatically.
This guide covers installation, key commands, and essential concepts.
* **composer.json** - Defines required packages and version constraints
* **composer.lock** - Locks exact versions + checksums for reproducible installs across all machines (dev, staging, production)
===1. Installing Composer: Local vs Global===
#|
*| Approach | Installation Command | Path to Composer | Advantages | Disadvantages |*
|| **Global** | ##php -r "copy('...', 'composer-setup.php');"## then ##php composer-setup.php --install-dir=/usr/local/bin --filename=composer## | ##composer## (anywhere in terminal) | – Use ##composer## directly (no ##php## prefix).
– One installation for all projects.<br>– Easier to remember. | – May require ##sudo## on Linux/Mac.<br>– Version fixed system-wide (unless you manage multiple versions). ||
|| **Local** (per project) | Download ##composer.phar## into project folder: ##php -r "copy('...', 'composer.phar');"## | ##php composer.phar## (must be in project root) | – No ##sudo## needed.
– Different projects can use different Composer versions.
– Portable (just copy the phar). | – Must type ##php composer.phar## every time.
– Need to download again for each project (or copy). ||
|#
**Path Commands**
- Global: ##composer install##
- Local: ##php composer.phar install##
**Recommendation:** Use **global** for most cases. Use **local** if you need to pin a specific Composer version or work on a shared server without root.
=== 2. Key Commands Explained ===
====##php composer.phar install --no-dev --optimize-autoloader##====
**When to use:** When deploying your application to production.
**Why:**
- ##install## reads ##composer.lock## (if present) and installs exact versions – ensures consistency.
- ##--no-dev## skips ##require-dev## dependencies (e.g., testing tools) – reduces bloat and security risks in production.
- ##--optimize-autoloader## generates a classmap for faster autoloading – improves performance.
**How it works:**
1. Composer looks at ##composer.lock## → installs listed packages.
2. Ignores dev dependencies.
3. Creates an optimized ##vendor/composer/autoload_classmap.php##.
**Example command:**
%%
php composer.phar install --no-dev --optimize-autoloader
%%
====##composer update##====
**When to use:** During development, when you want to update dependencies to newer versions.
**Why:**
- ##update## ignores the lock file and checks ##composer.json## for the latest versions allowed by version constraints.
- After update, it rewrites ##composer.lock## with the new exact versions.
**How it works:**
1. Reads ##composer.json##.
2. Fetches latest compatible versions from repositories.
3. Installs them.
4. Updates ##composer.lock##.
**Example command:**
%%
composer update # updates all dependencies
composer update phpmailer/phpmailer # update only one package
%%
**Important:** Never run ##composer update## on a production server – it may introduce breaking changes. Use ##composer install## with the lock file.
=== 3. Essential Concepts You Must Know ===
- **##composer.json##** – Declares your project’s dependencies and their version constraints (e.g., ##"^5.0"## means >=5.0, <6.0).
- **##composer.lock##** – Records the exact versions installed. **Always commit it to version control** so everyone (and production) uses the same versions.
- **##require## vs ##require-dev##** – ##require## for runtime dependencies (e.g., framework), ##require-dev## for development tools (e.g., PHPUnit).
- **Autoloading** – Composer generates a ##vendor/autoload.php## file. Include it once in your entry point to load all classes automatically:
%%(hl php)
require __DIR__ . '/vendor/autoload.php';
%%
- **##composer.lock## and ##install## vs ##update##** – Use ##install## to reproduce exact versions; use ##update## to change them.
=== Did We Miss Anything? ===
A complete beginner’s grasp of Composer also requires:
- Understanding **version constraints** (##^##, ##~##, ##*##, ##>=##, etc.) – without this, ##composer.json## is confusing.
- Knowing **how to add a package**: ##composer require vendor/package##.
- **Removing a package**: ##composer remove vendor/package##.
- **The ##vendor## directory** – is **not** committed to version control (add ##vendor/## to ##.gitignore##).
- **Updating Composer itself**: ##composer self-update##.
With these basics, you’ll be able to manage dependencies like a pro.
===Examples===
In project folder
install Composer
%%
curl -sS https://getcomposer.org/installer | php
%%
%%
php composer.phar install --no-dev --optimize-autoloader
Installing dependencies from lock file
Verifying lock file contents can be installed on current platform.
Package operations: 9 installs, 0 updates, 0 removals
- Installing enshrined/svg-sanitize (0.22.0): Extracting archive
- Installing symfony/polyfill-mbstring (v1.37.0): Extracting archive
- Installing hashids/hashids (5.0.2): Extracting archive
- Installing jblond/php-diff (2.5.0): Extracting archive
- Installing psr/simple-cache (3.0.0): Extracting archive
- Installing phiki/phiki (v2.2.0): Extracting archive
- Installing phpmailer/phpmailer (v7.1.1): Extracting archive
- Installing phpthumb/phpthumb (2.3.3): Extracting archive
- Installing simplepie/simplepie (1.9.0): Extracting archive
Generating optimized autoload files
%%
%%
composer update
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 2 updates, 0 removals
- Upgrading hashids/hashids (4.1.0 => 5.0.2)
- Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 2 updates, 0 removals
- Downloading hashids/hashids (5.0.2)
- Downloading phpmailer/phpmailer (v7.1.1)
- Upgrading hashids/hashids (4.1.0 => 5.0.2): Extracting archive
- Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1): Extracting archive
Generating optimized autoload files
No security vulnerability advisories found.
%%
* https://getcomposer.org/doc/articles/resolving-merge-conflicts.md