I Don't Get Composer

Hey everyone,

with Yii2 PR out and some fresh energy I took time to experiment with it. It seems like with Yii 2, Composer also plays a big role here, so I tried to take a look. With not too much success.

I’ve used several linux distributions for several years and I’ve seen quite a lot of package managing tools. Although, Composer claims its not Package Management but Dependency Management. Their explanation “By default it will never install anything globally. Thus, it is a dependency manager.” doesn’t really make sense to me, but okay.

Now let’s say I want to create dependencies for a very basic Yii(2) application with fullcalendar (a JS calendar). In thise case, where would I even put my composer.json? Inside the application directory doesn’t make much sense, because Yii itself is just another dependency.

So however I create my composer.json. Now here comes the “fun” part. Apparently Composer comes with 1 (default) repository, packagist.com. But there’s a bunch(?) of others: http://packages.phundament.com/ for example. I don’t know how to find other repositories, but nevermind I just try packagist. So I look for “fullcalendar”. I find an Yii1 and Symfony2 plugin. Not exactly what I wanted, but okay. Funny enough, neither of these have the original “fullcalendar” in their dependency list. So I have to guess which version they are using.

Seems like I have to create this package on my own, if I want to manage my dependency on this with composer. I read how to do that on packagist.com. They explain it with 5 sentences, must be very simple then.

Step 1: Define your Package.

This is the same stuff I would write in my composer.json, if this package already existed.

Step 2: Commit the File

“You surely don’t need help with that.” More like “You don’t GET help with that.” Okay, I have downloaded fullcalendar in the meanwhile, since it wasn’t available. Now what should I do with it? Where should I commit what?

Step 3: Publish it

No idea, since I haven’t gotten that far.

So no luck for me this time. But even if I succeeded: What if someone later finds this? It would have to say tropi/fullcalendar, although I’m obviously NOT the one who authored this. How would someone who finds this know this is authentic and I didn’t change some parts of the code? What if there’s one package from multiple vendors - or people like me who just did the package? What’s up with private components, do I have to set up my own Composer repository? In the end, what does composer even do for me? How does it even resolve versions? For example what if some Addon has >yii1.1.8 as dependency. Would it download yii2, which we all know is not backwards compatible. Would it get me 1.1.8 which is fairly outdated?

In the end I don’t even get what Composer exactly helps me with. Maybe it makes me more aware of dependencies, but I can’t see how it would actually makes things easier.

Thanks to everyone who is willing to explain this to be a little better, than the "documentation" did.

I share many of your concerns. I just don’t trust composer. It says, it solves depencies for me. But that means, i have to give away my freedom and sell my soul to some package author and pray that he got everything right. If not, then with a simple “composer update” (or “composer install”?) I can mess up my complete project with dozens of updated dependencies that may now break other things.

For me it saves me from littering my repositories with third-party code.

And since you can specify exact versions of the software in your composer script, and because it will produce a lock file, I think it’s fairly safe.

That said, there are people who would use it to brush their teeth… if they could.

I am not sure I would use composer to install Yii extensions, though.

Let’s see.

Hi guys,

Yeah, same here, but I think that’s just the correct term.

Some time has passed since your posting and there’s already a Yii2 advanced app now.

I am also playing around with it, you can see here how you’ll a package is added to your application. Running [font=“Courier New”]composer.phar require schmunk42/yii2-extension-skeleton:dev-master[/font] would add that line to composer.json also.

I don’t know fullcalender in detail, but I bet they don’t include a composer.json file in their repo, but that’s not composer’s fault!

I created the repo mentioned above exactly for these cases, let me quote from phundament.com:

Because not every package used by Phundament is available via a source-code repository which supplies a composer.json file. Therefore we decided to create this intermediate package repository, which allows us to use a wider range of available extensions with minimal effort.

Packagist is the main repository for composer and I’d encourage everyone to use it.

But you can either download it’s source code from GitHub or use satis.

Maybe this is helpful: https://packagist.org/about

Huh, a lot of questions :) I’ll try to answer some…

You can declare private repos in your composer.json file, see http://getcomposer.org/doc/04-schema.md#repositories

Tags in a git repo correspond to a version.

If you want to know how composer resolves version, you may take a look a the Solver Class, but be warned - it’s not trivial ;)

Yes, if the add-on has yiisoft/yii >= 1.1.8 as dependency it will download a 2.0, when available. But that would be a bug in the add-on.

It should be declared as 1.1.* or ~1.1 or >=1.1.8,<=2.0.

Let me know about your remaining open questions.

update and install are different things, see my posting about it on composer-dev about it.

Just remember this: run update on purpose, if you really want to update one or many packages. This git-hook may also be interesting, because it tells you when you have to run install.

Best regards,

schmunk

Example from real life: I participate in a project where they already use composer. I need one of my extensions there which is available from github ("mikeahertl/defaultpersister"). So i thought lets give this a try and added "mikehaertl/defaultpersister" to composer.json in the "require" section.

Then i crossed fingers, and ran "composer update". Instead of installing my little extension only, it updated a huge pile of dependencies (guzzle, some symfony stuff, …). All i wanted was my tiny little extension and now i had all these updated, untested files in my repo.

I cursed, undid everything and went back to good old git submodules.

You should have cursed yourself, because you did it wrong ;)

A composer update always gives you the latest versions for all your packages.

If you would have done it like this…


edit composer.json

composer.phar update mikehaertl/phpwkhtmltopdf

…composer would just have installed your new package and updated your other packages to the version specified in to lock file.

Now run


composer.phar update --dry-run

to see that there may still be newer versions available.

You can do this in one line btw:


composer.phar require mikehaertl/phpwkhtmltopdf:1.1.*

[i]Do NOT use composer update all the time - ONLY on purpose.

You should be safe with running composer install (unless there’s a guy in your team who updates all the time and then commits the lock file). :D

[/i]

I’ve attached another lengthy example from a somewhat outdated version of Phundament on my HD … first check if your app is in-sync with the lock file:


Kraftbuch:wb tobias$ cd /Users/tobias/Desktop/app-dev 

Kraftbuch:app-dev tobias$ composer.phar install --dev --dry-run

Loading composer repositories with package information

Installing dependencies (including require-dev) from lock file

  - Updating phundament/gii-template-collection (0.8.<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/cool.gif' class='bbc_emoticon' alt='8)' /> to phundament/gii-template-collection (0.8.10)

  - Updating phundament/p3widgets (0.11.3) to phundament/p3widgets (0.11.4)

  - Updating phundament/p3admin (0.12.2) to phundament/p3admin (0.12.3)

  - Updating phundament/p3pages (0.10.5) to phundament/p3pages (0.11.6)

  - Updating phundament/p3bootstrap (0.13.2) to phundament/p3bootstrap (0.14.1)

  - Updating phundament/p3media (0.11.9) to phundament/p3media (0.11.10)

  - Updating twitter/bootstrap (v2.3.1) to twitter/bootstrap (v2.3.2)

  - Uninstalling 2amigos/yiiwheels (dev-master c0b3510)

  - Uninstalling yii-twbs/yiistrap (dev-master 3d4a2c5)

  - Updating phundament/p3extensions (dev-master 0.10.1) to phundament/p3extensions (dev-master 0.12.0)

  - Updating waalzer/app-demo-data (dev-master c9f1d74) to waalzer/app-demo-data (dev-master 9d0f8f4)

As an example, this would give me the very latest packages (note the dry-run option)


Kraftbuch:app-dev tobias$ composer.phar update --dev --dry-run

Loading composer repositories with package information

Updating dependencies (including require-dev)

  - Updating phundament/p3widgets (0.11.3) to phundament/p3widgets (0.11.<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/cool.gif' class='bbc_emoticon' alt='8)' />

  - Updating phundament/p3admin (0.12.2) to phundament/p3admin (0.12.3)

  - Updating phundament/p3media (0.11.9) to phundament/p3media (0.11.10)

  - Updating phundament/p3pages (0.10.5) to phundament/p3pages (0.11.9)

  - Updating phundament/p3bootstrap (0.13.2) to phundament/p3bootstrap (0.14.2)

  - Updating phundament/gii-template-collection (0.8.<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/cool.gif' class='bbc_emoticon' alt='8)' /> to phundament/gii-template-collection (0.8.10)

  - Updating twitter/bootstrap (v2.3.1) to twitter/bootstrap (v2.3.2)

  - Uninstalling 2amigos/yiiwheels (dev-master c0b3510)

  - Uninstalling yii-twbs/yiistrap (dev-master 3d4a2c5)

  - Updating phundament/p3extensions (dev-master 0.10.1) to phundament/p3extensions (dev-master 0.12.0)

  - Updating waalzer/app-demo-data (dev-master c9f1d74) to waalzer/app-demo-data (dev-master 9d0f8f4)



But I just want that single package (note that composer updates your app to the versions specified in the lock file)


Kraftbuch:app-dev tobias$ composer.phar require mikehaertl/phpwkhtmltopdf:1.1.*

composer.json has been updated

Welcome to Phundament


Updating packages...


Loading composer repositories with package information

Updating dependencies (including require-dev)

  - Removing twitter/bootstrap (v2.3.1)

  - Installing twitter/bootstrap (v2.3.2)

    Downloading: 100%         


  - Removing phundament/p3widgets (0.11.3)

  - Installing phundament/p3widgets (0.11.4)

    Downloading: 100%         


  - Removing phundament/p3admin (0.12.2)

  - Installing phundament/p3admin (0.12.3)

    Loading from cache


  - Removing phundament/p3media (0.11.9)

  - Installing phundament/p3media (0.11.10)

    Loading from cache


  - Removing phundament/p3pages (0.10.5)

  - Installing phundament/p3pages (0.11.6)

    Loading from cache


  - Removing phundament/p3bootstrap (0.13.2)

  - Installing phundament/p3bootstrap (0.14.1)

    Downloading: 100%         


  - Removing phundament/gii-template-collection (0.8.<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/cool.gif' class='bbc_emoticon' alt='8)' />

  - Installing phundament/gii-template-collection (0.8.10)

    Loading from cache


  - Installing mikehaertl/phpwkhtmltopdf (dev-master 1.1.5)

    Cloning 1.1.5


  - Removing 2amigos/yiiwheels (dev-master)

  - Removing yii-twbs/yiistrap (dev-master)

Writing lock file

Generating autoload files

Update completed.



But not to the very latest version:


Kraftbuch:app-dev tobias$ composer.phar update --dev --dry-run

Loading composer repositories with package information

Updating dependencies (including require-dev)

  - Updating phundament/p3widgets (0.11.4) to phundament/p3widgets (0.11.<img src='http://www.yiiframework.com/forum/public/style_emoticons/default/cool.gif' class='bbc_emoticon' alt='8)' />

  - Updating phundament/p3pages (0.11.6) to phundament/p3pages (0.11.9)

  - Updating phundament/p3bootstrap (0.14.1) to phundament/p3bootstrap (0.14.2)

  - Updating phundament/p3extensions (dev-master 0.10.1) to phundament/p3extensions (dev-master 0.12.0)

  - Updating waalzer/app-demo-data (dev-master c9f1d74) to waalzer/app-demo-data (dev-master 9d0f8f4)