Composer is the PHP community’s go-to dependency manager. It simplifies installing, updating and using third-party packages. Packages can be hosted by public and private repositories, with most popular projects publishing to Packagist.

Installing Composer

Composer is a community effort which isn’t bundled with PHP. It’s distributed as a PHP PHAR archive from getcomposer.org. Some Linux distributions do include Composer in their software repositories but installing in this way usually delivers an outdated version.

Make sure you’ve got PHP installed before continuing. PHP 5.3 is the oldest supported version at the time of writing. You’ll also need git and unzip on your system if you want to install packages from source.

Composer provides an automated setup script. Begin by downloading the installer to your working directory:

You should now verify the installer’s hash to check it’s not been tampered with. Refer to the Composer website to check the latest hash and obtain sample verification code.

Next, use the setup script to install Composer:

This will download Composer into /usr/local/bin, allowing it to sit in your path alongside your other executables. Try running composer in your shell to check that’s everything working. The Composer version should be displayed, followed by a list of the available Composer commands.

To update Composer in the future, run composer self-update. This will automatically replace your Composer binary with the latest release. You won’t need to use the composer-setup.php script again so you can delete it now.

Preparing Your Project

You’ll need to create a composer.json file in your project’s working directory before you can start using Composer. Run composer init to create one interactively. This will get you setup with a basic configuration.

Follow the command line prompts to supply information about your project, such as its name, description and author details. Package names use the vendor/package syntax to avoid conflicts between authors in public repositories. You should use your Packagist username as the vendor component.

Most keys in composer.json are optional unless you intend to publish your codebase to Packagist. You can find a complete description of the file’s structure on the Composer documentation site.

Installing Packages

You can add packages to your project using the composer require command:

Search for packages to install using the Packagist website. They’ll be added to the require section of your project’s composer.json file. Once installed, the package’s source goes into the vendor folder within your project.

Composer relies on semantic versioning to handle package updates. The exact version of each package you’ve installed is written to composer.lock in your project’s directory. This enables Composer to identify the specific package to install when composer.json indicates a range of versions is acceptable.

You should commit both composer.json and composer.lock to your source control. Other developers working on your project can then run composer install to acquire all the dependencies you’ve defined.

Packages such as test runners can be marked as development dependencies by supplying the –dev flag to the require command. They’ll be separated into a require-dev section within composer.json. When installing your packages, use composer install –no-dev to exclude development dependencies. This is useful when using Composer within deployment scripts and CI systems.

Updating Packages

You should try to keep your packages updated so you’re not missing out on security and bug fixes. Run the composer outdated command to see a list of dependencies in composer.json that have new versions available.

To apply the updates, run composer update. This will respect semantic versioning and pull down the newest version of each package, within the version constraints specified by your composer.json. A package marked as ^1.2 will update to 1.2.x or 1.3.x but not 2.0. The Composer docs include detailed information on how the tool resolves different forms of version constraint.

Updating a package will automatically rewrite your composer.lock file to specify the new version. Other developers working on your project can rerun composer install to obtain the exact packages you’re using.

The Composer Autoloader

Autoloading is the preferred mechanism to discover source files within PHP. Composer has first-class support for autoloading; most of the time, its autoloader will be the only file you need to require_once() within your project.

As you install dependencies, Composer will automatically write an autoloader to vendor/autoload.php. Packages specify how they should be autoloaded using the autoload field in composer.json. You should set this up for your own project so Composer can autoload its files too:

The above snippet will configure your project’s autoloading using the PSR-4 standard. Codebase resources within the ExampleProject namespace will be mapped to files within the src directory – for example, use ExampleProjectExampleClassesMyClass will automatically require_once(“src/ExampleProject/ExampleClasses/MyClass.php”).

The only file you’ll need to manually require_once() is the autoloader itself:

You should add the line as early as possible in your application. This will ensure autoloading is enabled before you start consuming classes and interfaces within your codebase.

Sometimes you might need to force regeneration of the autoloader. This will often be because you’ve updated your project’s autoload configuration. You can run composer dump-autoload to write a new autoloader on-demand.

Summary

Composer simplifies PHP development by providing the dependency manager missing from the core language. Using Composer you can easily incorporate third-party code into your projects, without having to manually download source files and keep them up to date.

Composer’s built-in autoloader lets you access installed packages without any extra work on your part. The tool also includes a script runner which allows you to execute tasks within your codebase by adding commands to the scripts block in composer.json. Use composer run my-script to run the script.