× Introducing Rollout, An awesome deployment system for your PHP webapps. [More info]
Thu 26 Jul 2018

What is PHP Composer

Summary: Composer, the dependency manager for php has many places where its not clear for many folks out there. Couple of things are, should I execute composer install or composer update. In other words, when should I run composer install and composer update. Also, should I commit composer.json to my version control system? Let us try to understand more about php composer.

Composer, the dependency manager for php has many places where its not clear for many folks out there. Couple of things are, should I execute composer install or composer update. In other words, when should I run composer install and composer update. Also should I commit composer.json to my version control system? Let us try to understand this in a better way.

Why should I use php composer ?

First lets get to know about what is composer and why should you use it at all. During early stages of php web development reusable libraries or classes of PHP are available in individual classes.Lets say you need to use PHPMailer class for sending emails. To use PHPmailer functionalities we need to download the phpmailer classes and include it. Lets say phpmailer class use some other libraries like formatter class that was developed by a different developer, sometimes phpmailer libraries might give you the formatter library also bundled with phpmailer in one zip file. Sometimes they just give reference to the library formatter. We have to

Download it separately.
include it in your project.

Just imaging if the formatters requires another library called string processor. Again you need to do this wasting lot of time.

downloading the libraries or dependencies.
including the dependencies in your project.

Another problem is that, Lets say creator of phpmailer bundles formatter library and string processor libraries for you as one single bundle. Lets say developer of formatter library adds a bunch of nice features, security fixes, bug fixes which you may not have a chance to get the updates. You are stuck with the stale version that came with the phpmailer bundle. Or you don't have an easy way to catchup with the latest version and update your security fixes. All you need to do is download manually the formatter library again and include it in your project. Thats really nasty time killer and unproductive. PHP composer removes all these nasty troubles for you. The important magic guy is php autoload that autoloads or includes automatically the class files when it does not find it in memory.

What is php composer ?

To sum up Composer gives you these fabulous mileage. Saves tons of time.

Composer automatically downloads all the dependencies of a given library recursively and keeps inside a folder called Vendor folder. Puts all the includes or requires statements in a file called autoload.php. All you need to do is just include that file (autoload.php) and you are done. Also makes your life easier to download any specific version of a given dependency. And that you can share the same set of dependency with the same version to your peer developer. This is accomplished by means of composer.lock which I will detail out here in this article. Libraries or packages may require a specific version of PHP, prior to composer there is no way to specify that version requirement also there is no way mention the php extension it requires with composer if you are the library / package developer you can mention in your composer.json

"require": {
    "php": "^7.1.3",
    "ext-mbstring": "*",
    "ext-openssl": "*",

if you have this requires snippet, composer will automatically checks for you if your system has the mentioned php version and the extensions are enabled. So easy right.

Last but not the least you can easily update your libraries with the latest versions.

Should i use composer install or composer update ?

Lets first get to know what is composer update and what is composer install so that we can use the right option ourselves.

Composer install

When you do a composer install. composer looks for composer.json file in the current directory and starts downloading the libraries or dependencies present in the composer.json recursively. Meaning if your project uses phpmailer, and phpmailer uses formatter, String processor and string Processor requires pattern matching libriaries. Composer will download all the libraries phpmailer, formatter, stringprocessor and pattern matching libraries. Once the download is done it creates a file called composer.lock file with details of the exact versions of the all the libraries it downloaded. Why should composer create composer.lock file?

if it does not do that, it doesn't know what is the version it downloaded, so what is the problem if it doesn't knew what version of a library it downloaded. It will download again and again when composer install is accidentally executed.

Composer update

This is one of the other problem that composer solves, getting the recent updates for all the libraries or packages that you have used in your project or in simple terms updating your libraries that you have already downloaded to its latest version just at one command. Wow thats so lovely.

What is php autoload ?

Its perhaps php autoload feature has made the composer to work. Everytime when php can't find the class to include when you try to instantiate the class it executes the autoload function. So this gives you an opportunity to build the logic of file inclusion in this autoload function. One simple way how you can do it is here.

For example


class myClass {
    public function __construct() {
        echo "myClass init'ed successfuly!!!";

// we've writen this code where we need
function __autoload($classname) {
    $filename = "./". $classname .".php";

// we've called a class ***
$obj = new myClass();

If you observe the above snippet, we are not including the myclasses file anywhere like include 'myClass.php', This is the magic that __autoload() does it for you.

Note: you should keep the classname and the filename same for this magic to happen.

Should I commit composer.json in git repository ?

Yes, you should commit composer.json and also composer.lock file which are very important for these glorious reasons.

Every member of the project should be working on the identical versions of the library or package they use. Otherwise it would introduce lots of discripencies which are very hard to debug.

Lets say you are adding a new member to your project, the expectation is to have exactly same versions of your packages or libraries that you are using, otherwise its going to be a nightmare for you and him sorting out the bugs that arises, if the version are different, things can break, or you may not be having a feature he has because that he recently got the latest version of the package. So how you achieve this ? Very simple, just add commit the packages you have used in your git and do a push to github and let him download from github. Thats too much of space you are going to use and to download and upload the code from bitbucket and more time eventually. So the best way is to commit only composer.json and composer.lock files. You may think commiting composer.json is suffice. I have a reason for composer.lock to be committed.

in Composer.json you mention the minimum expected version say 1.8 and composer always download latest of 1.8, for example 1.8.4 may be the latest. composer will download 1.8.4. So what is the problem ? Not at all till now. Lets say the package developer have added a feature in 1.8.5 and that has introduced a bug. So when your new team member run composer install it will install 1.8.5 rather than 1.8.4. Again this is a deviation from the rule that I mentioned Every member of the project should be working with the identical versions of the library or packages.

Hence its one of the best practice to commit also the composer.json and composer.lock file in your git repo. add in your .gitignore file add the following line. vendor/ So that git will not worry about the vendor folder. Only your working directory or your computer where you have Project directory will have the full code base.

composer is well designed to check the presence of composer.lock file first. If it is there it gets versions of the packages to download from there, if composer.lock is not there it goes for composer.json and starts the process of downloading. So when your new team member starts the project. He just executes composer install and it picks the exact version from composer.lock file in our case 1.8.4 of the package and downloads.