Composer Guide for Beginners

1

Composer is a dependency manager for PHP. It lets you declare the libraries your project needs and installs them automatically.
This guide covers installation, key commands, and essential concepts.


  • composer.json – Defines required packages and version constraints
  • composer.lock – Locks exact versions + checksums for reproducible installs across all machines (dev, staging, production)

1. Installing Composer: Local vs Global


Approach Installation Command Path to Composer Advantages Disadvantages
Global php -r «copy('...', 'composer-setup.php');" then php composer-setup.php --install-dir=/usr/local/bin --filename=composer composer (anywhere in terminal) – Use composer directly (no php prefix).
– One installation for all projects.<br>– Easier to remember. 		– May require sudo on Linux/Mac.<br>– Version fixed system-wide (unless you manage multiple versions).
Local (per project) Download composer.phar into project folder: php -r «copy('...', 'composer.phar');" php composer.phar (must be in project root) – No sudo needed.
– Different projects can use different Composer versions.
– Portable (just copy the phar). 		– Must type php composer.phar every time.
– Need to download again for each project (or copy).

Path Commands

  • Global: composer install
  • Local: php composer.phar install

Recommendation: Use global for most cases. Use local if you need to pin a specific Composer version or work on a shared server without root.

2. Key Commands Explained

php composer.phar install --no-dev --optimize-autoloader


When to use: When deploying your application to production.
Why:

  • install reads composer.lock (if present) and installs exact versions – ensures consistency.
  • --no-dev skips require-dev dependencies (e.g., testing tools) – reduces bloat and security risks in production.
  • --optimize-autoloader generates a classmap for faster autoloading – improves performance.

How it works:

  1. Composer looks at composer.lock → installs listed packages.
  2. Ignores dev dependencies.
  3. Creates an optimized vendor/composer/autoload_classmap.php.

Example command: 

php composer.phar install --no-dev --optimize-autoloader

composer update


When to use: During development, when you want to update dependencies to newer versions.
Why:

  • update ignores the lock file and checks composer.json for the latest versions allowed by version constraints.
  • After update, it rewrites composer.lock with the new exact versions.

How it works:

  1. Reads composer.json.
  2. Fetches latest compatible versions from repositories.
  3. Installs them.
  4. Updates composer.lock.

Example command: 

composer update               # updates all dependencies
composer update phpmailer/phpmailer  # update only one package

Important: Never run composer update on a production server – it may introduce breaking changes. Use composer install with the lock file.

3. Essential Concepts You Must Know

  • composer.json – Declares your project’s dependencies and their version constraints (e.g., "^5.0" means >=5.0, <6.0).
  • composer.lock – Records the exact versions installed. Always commit it to version control so everyone (and production) uses the same versions.
  • require vs require-devrequire for runtime dependencies (e.g., framework), require-dev for development tools (e.g., PHPUnit).
  • Autoloading – Composer generates a vendor/autoload.php file. Include it once in your entry point to load all classes automatically: 
require __DIR__ . '/vendor/autoload.php';

  • composer.lock and install vs update – Use install to reproduce exact versions; use update to change them.

Did We Miss Anything?


A complete beginner’s grasp of Composer also requires:

  • Understanding version constraints (^, ~, *, >=, etc.) – without this, composer.json is confusing.
  • Knowing how to add a package: composer require vendor/package.
  • Removing a package: composer remove vendor/package.
  • The vendor directory – is not committed to version control (add vendor/ to .gitignore).
  • Updating Composer itself: composer self-update.

With these basics, you’ll be able to manage dependencies like a pro.

Examples


In project folder


install Composer

curl -sS https://getcomposer.org/installer | php	

php composer.phar install --no-dev --optimize-autoloader

Installing dependencies from lock file
Verifying lock file contents can be installed on current platform.
Package operations: 9 installs, 0 updates, 0 removals
  - Installing enshrined/svg-sanitize (0.22.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.37.0): Extracting archive
  - Installing hashids/hashids (5.0.2): Extracting archive
  - Installing jblond/php-diff (2.5.0): Extracting archive
  - Installing psr/simple-cache (3.0.0): Extracting archive
  - Installing phiki/phiki (v2.2.0): Extracting archive
  - Installing phpmailer/phpmailer (v7.1.1): Extracting archive
  - Installing phpthumb/phpthumb (2.3.3): Extracting archive
  - Installing simplepie/simplepie (1.9.0): Extracting archive
Generating optimized autoload files	

composer update

Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 2 updates, 0 removals
  - Upgrading hashids/hashids (4.1.0 => 5.0.2)
  - Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 2 updates, 0 removals
  - Downloading hashids/hashids (5.0.2)
  - Downloading phpmailer/phpmailer (v7.1.1)
  - Upgrading hashids/hashids (4.1.0 => 5.0.2): Extracting archive
  - Upgrading phpmailer/phpmailer (v6.12.0 => v7.1.1): Extracting archive
Generating optimized autoload files
No security vulnerability advisories found.

Comments

  1. Difference between --prefer-dist and --prefer-source

    The difference lies in how Composer retrieves the package files:
    • --prefer-dist (Distribution): Downloads a clean archive (ZIP/TAR) of the package.
      • Best for: Production, CI/CD pipelines, and standard development.
      • Pros: Significantly faster installation, smaller disk footprint, and excludes development files (like tests/docs) if the maintainer configured .gitattributes correctly.
      • Default: This is the automatic default for stable tagged versions.
    • --prefer-source (Source): Clones the full version control repository (e.g., git clone).
      • Best for: Contributing to a package, debugging deep into a dependency, or needing the commit history.
      • Pros: Gives you the .git folder inside vendor/, allowing you to modify code, switch branches, or submit pull requests directly from the dependency.
      • Cons: Slower download and includes the entire history and potentially unwanted files.

    Summary: Use --prefer-dist for speed and stability in 99% of cases. Use --prefer-source only when you intend to modify the dependency's code directly.
    • WikiAdmin
    • 06/06/2026 23:23 edited