Composer Dependency Manager
Composer is PHP's most commonly used dependency manager. It's analogous to
npm in Node,
pip for Python, or
NuGet for .NET.
- php path/to/composer.phar [command] [options] [arguments]
|license||Defines the type of license you want to use in the Project.|
|authors||Defines the authors of the project, as well as the author details.|
|support||Defines the support emails, irc channel, and various links.|
|require||Defines the actual dependencies as well as the package versions.|
|require-dev||Defines the packages necessary for developing the project.|
|suggest||Defines the package suggestions, i.e. packages which can help if installed.|
|autoload||Defines the autoloading policies of the project.|
|autoload-dev||Defines the autoloading policies for developing the project.|
- Packagist – Browse available packages (which you can install with Composer).
- Official Documentation
- Official Getting Started guide
- Disable xdebug when running Composer.
- Do not run Composer as
root. Packages are not to be trusted.
What is Composer?
Composer is a dependency/package manager for PHP. It can be used to install, keep track of, and update your project dependencies. Composer also takes care of autoloading the dependencies that your application relies on, letting you easily use the dependency inside your project without worrying about including them at the top of any given file.
Dependencies for your project are listed within a
composer.json file which is typically located in your project root. This file holds information about the required versions of packages for production and also development.
A full outline of the
composer.json schema can be found on the Composer Website.
This file can be edited manually using any text-editor or automatically through the command line via commands such as
composer require <package> or
composer require-dev <package>.
To start using composer in your project, you will need to create the
composer.json file. You can either create it manually or simply run
composer init. After you run
composer init in your terminal, it will ask you for some basic information about your project: Package name (vendor/package - e.g.
laravel/laravel), Description - optional, Author and some other information like Minimum Stability, License and Required Packages.
require key in your
composer.json file specifies Composer which packages your project depends on.
require takes an object that maps package names (e.g. monolog/monolog) to version constraints (e.g. 1.0.*).
To install the defined dependencies, you will need to run the
composer install command and it will then find the defined packages that matches the supplied
version constraint and download it into the
vendor directory. It's a convention to put third party code into a directory named
You will notice the
install command also created a
composer.lock file is automatically generated by Composer. This file is used to track the currently installed versions and state of your dependencies. Running
composer install will install packages to exactly the state stored in the lock file.
Autoloading with Composer
While composer provides a system to manage dependencies for PHP projects (e.g. from Packagist), it can also notably serve as an autoloader, specifying where to look for specific namespaces or include generic function files.
It starts with the
This configuration code ensures that all classes in the namespace
MyVendorName\MyProject are mapped to the
src directory and all classes in
MyVendorName\MyProject\Tests to the
tests directory (relative to your root directory). It will also automatically include the file
After putting this in your
composer.json file, run
composer update in a terminal to have composer update the dependencies, the lock file and generate the
autoload.php file. When deploying to a production environment you would use
composer install --no-dev. The
autoload.php file can be found in the
vendor directory which should be generated in the directory where
require this file early at a setup point in the lifecycle of your application using a line similar to that below.
Once included, the
autoload.php file takes care of loading all the dependencies that you provided in your
Some examples of the class path to directory mapping:
Benefits of Using Composer
Composer tracks which versions of packages you have installed in a file called
composer.lock, which is intended to be committed to version control, so that when the project is cloned in the future, simply running
composer install will download and install all the project's dependencies.
Composer deals with PHP dependencies on a per-project basis. This makes it easy to have several projects on one machine that depend on separate versions of one PHP package.
Composer tracks which dependencies are only intended for dev environments only
Composer provides an autoloader, making it extremely easy to get started with any package. For instance, after installing Goutte with
composer require fabpot/goutte, you can immediately start to use Goutte in a new project:
Composer allows you to easily update a project to the latest version that is allowed by your composer.json. EG.
composer update fabpot/goutte, or to update each of your project's dependencies:
Composer Available Commands
|about||Short information about Composer|
|archive||Create an archive of this composer package|
|browse||Opens the package's repository URL or homepage in your browser.|
|clear-cache||Clears composer's internal package cache.|
|clearcache||Clears composer's internal package cache.|
|config||Set config options|
|create-project||Create new project from a package into given directory.|
|depends||Shows which packages cause the given package to be installed|
|diagnose||Diagnoses the system to identify common errors.|
|dump-autoload||Dumps the autoloader|
|dumpautoload||Dumps the autoloader|
|exec||Execute a vendored binary/script|
|global||Allows running commands in the global composer dir ($COMPOSER_HOME).|
|help||Displays help for a command|
|home||Opens the package's repository URL or homepage in your browser.|
|info||Show information about packages|
|init||Creates a basic composer.json file in current directory.|
|install||Installs the project dependencies from the composer.lock file if present, or falls back on the composer.json.|
|licenses||Show information about licenses of dependencies|
|outdated||Shows a list of installed packages that have updates available, including their latest version.|
|prohibits||Shows which packages prevent the given package from being installed|
|remove||Removes a package from the require or require-dev|
|require||Adds required packages to your composer.json and installs them|
|run-script||Run the scripts defined in composer.json.|
|search||Search for packages|
|self-update||Updates composer.phar to the latest version.|
|selfupdate||Updates composer.phar to the latest version.|
|show||Show information about packages|
|status||Show a list of locally modified packages|
|suggests||Show package suggestions|
|update||Updates your dependencies to the latest version according to composer.json, and updates the composer.lock file.|
|validate||Validates a composer.json and composer.lock|
|why||Shows which packages cause the given package to be installed|
|why-not||Shows which packages prevent the given package from being installed|
Difference between 'composer install' and 'composer update'
composer update will update our dependencies as they are specified in
For example, if our project uses this configuration:
Supposing we have actually installed the
2.0.1 version of the package, running
composer update will cause an upgrade of this package (for example to
2.0.2, if it has already been released).
composer update will:
- Remove installed packages that are no more required in
- Check the availability of the latest versions of our required packages
- Install the latest versions of our packages
composer.lockto store the installed packages version
composer install will install all of the dependencies as specified in the
composer.lock file at the version specified (locked), without updating anything.
- Install the packages specified in the
When to install and when to update
composer updateis mostly used in the 'development' phase, to upgrade our project packages.
composer installis primarily used in the 'deploying phase' to install our application on a production server or on a testing environment, using the same dependencies stored in the
composer.lockfile created by
You may install Composer locally, as part of your project, or globally as a system wide executable.
To install, run these commands in your terminal.
This will download
composer.phar (a PHP Archive file) to the current directory. Now you can run
php composer.phar to use Composer, e.g.
To use Composer globally, place the composer.phar file to a directory that is part of your
Now you can use
composer anywhere instead of
php composer.phar, e.g.