PHP is lame?
Composer gives PHP the boost to make serious projects possible.
Get to know the tool with this guide.
Let’s get started!
What is Composer?
Composer manages your PHP libraries, dependencies and third-party code. With large PHP projects and APIs, you want to keep an overview. Composer works in a similar way to Nuget or NPM to efficiently integrate third-party code into your own application. Composer is a dependency manager that installs dependencies from your PHP code into the vendor folder.
Why should I use Composer?
There are many reasons to use Composer:
- Keep an overview: Every PHP project with dependencies benefits from Composer because the dependencies are listed in a sorted manner.
- Use third-party code: There are other ways to use third-party code, but Composer makes it easy for you.
- Update quickly: Nobody needs vulnerabilities. Composer eliminates them quickly by updating the libraries.
- Large selection: Download your library from 400,000 packages from packagist.org. packagist.org and Composer are integrated with each other.
- Simple configuration: One file contains all configs. The config is written in easy-to-read JSON.
- Easy to learn: You can use the most important CLI commands in this tutorial.
Where is Composer used?
You can use Composer for independent PHP scripts, for web projects or batch processing. Composer is the basis for Laravel application interfaces (API) and websites, as well as Symfony.
Many apps, websites and applications need application interfaces to manage productive data. They control access to the database, change, delete and add new database entries. Composer offers a quick way to install Laravel and co. and extend them with new PHP libraries.
Install Composer
We need PHP for Composer. The following commands work directly in Linux distributions or with WSL 2 Ubuntu 22.04 for Windows.
/bin/bash
sudo apt install zip unzip php-zip php-dom -y
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
curl -fsSL https://packages.sury.org/php/apt.gpg| sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/sury-keyring.gpg
sudo apt update
sudo apt-get install php8.2 libapache2-mod-php8.2 php8.2-common php8.2-gd php8.2-mysql php8.2-curl php8.2-intl php8.2-xsl php8.2-mbstring php8.2-zip php8.2-bcmath php8.2-soap php-xdebug php-imagick -y
You can install Composer locally or globally. The executable file can be located in the project folder or in a system folder. This is how you download Composer locally:
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
Create project and use in PHP
The first step is to create the project. To do this, create a folder or go to the existing PHP scripts. There you execute the command
composer update
command. The software creates two files composer.json and composer.lock. The composer.json contains all dependencies that you have “actively” added. The dependencies often also have dependencies that are listed in full in composer.lock. The new vendor folder contains all code that comes from dependencies. composer.lock should also be present in your Git repo so that all developers use the same versions.
Start with Composer
You can search for dependencies via packagist and install them this way:
composer require barryvdh/laravel-dompdf
The command notes the installation in composer.json.
You can use the contents with the use command:
use Barryvdh\DomPDF\Facade\Pdf;
$pdf = Pdf::loadView('pdf.invoice', $data);
return $pdf->download('invoice.pdf');
You can find the dependency in the vendor folder.
Keep dependencies up to date
To keep up with feature and security updates, we can simply run
composer update
composer bump
composer update
to install the latest version. The composer.json helps to control the behaviour of Composer. A"^” in front of the version means that versions above the specified version are ok (no breaking changes). A"~” allows the version to be increased by the last minor version and an exact specification of"1.3.2” prohibits the update.
Security checks
Security is not an automatic matter, but has to be established with a lot of work. Composer and the PHP framework Laravel offer a module that searches for and finds the classic security vulnerabilities. A beginner has to find the right configurations, while a professional loses track during operation. The Enlightn tool helps to find these errors. Install the software with:
composer require enlightn/enlightn
php artisan vendor:publish --tag=enlightn
You can buy a pro version of the software, but the basic version is sufficient for the first step.
The software performs 131 checks, which takes about 2 minutes. The tool groups the checks into categories so that you don’t lose the overview when reworking.
Go to the root directory of your Laravel project and start the scan with
php artisan enlightn
The report card at the end shows the errors and categories. Always process the Security and Failed first
---------------- ------------- ------------- ----------- -----------
| Status | Performance | Reliability | Security | Total |
---------------- ------------- ------------- ----------- -----------
| Passed | 11 (61%) | 25 (89%) | 17 (81%) | 53 (79%) |
| Failed | 2 (11%) | 3 (11%) | 4 (19%) | 9 (13%) |
| Not Applicable | 5 (28%) | 0 (0%) | 0 (0%) | 5 (7%) |
error | 0 (0%) | 0 (0%) | 0 (0%) | 0 (0%) | 0 (0%) |
---------------- ------------- ------------- ----------- -----------
The tool describes each error with a text and link. The website behind the link explains how to do it correctly.
Check 63/67: Your application uses stable versions of dependencies. Failed
Your application's dependencies are unstable versions. These may include bug fixes and/or security patches. It is recommended to update to the most stable versions.
Documentation URL: https://www.laravel-enlightn.com/docs/security/stable-dependency-analyzer.html
Important CLI commands
Here is your cheat sheet for the most important Composer CLI commands:
composer init | Initialises a new Composer project and creates a composer.json file. |
composer install | Installs all dependencies defined in the composer.json file. |
composer update | Updates all dependencies to their latest versions. |
composer require | Adds a new package to your project and installs it. |
composer remove | Removes a package from your project. |
composer dump-autoload | Updates the autoload files. |
composer validate | Checks the composer.json file for errors. |
composer show | Displays information about installed packages. |
composer search [keyword] | Searches for packages on Packagist. |
composer outdated | Displays outdated packages that can be updated. |
composer global require | Installs a package globally on your system. |
composer global update | Updates all globally installed packages. |
composer create-project | Creates a new project based on a package. |
composer self-update | Updates Composer itself to the latest version. |
composer diagnose | Checks the system configuration for possible problems. |
composer archive | Creates an archive of a package. |
composer fund | Displays information on the financing of dependencies. |
composer licences | Displays the licences of the installed packages. |
composer run-script [script] | Executes a user-defined script from the composer.json file. |
composer clear-cache | Clears the composer cache. |
Leave a Reply