PHP From ZeroModern PHP course

composer and ecosystem

Composer Basics

Composer is PHP's dependency manager. It resolves packages, installs exact versions, generates autoload files, runs project scripts, and records repeatable application dependencies.

Working Knowledge

  • Use composer require vendor/package to add a runtime dependency.
  • Use composer require --dev vendor/package for development-only tools.
  • Commit composer.json and composer.lock for applications.
  • Run composer install from the lock file in CI and deployments.
  • Do not edit files under vendor/; update the dependency or configure the application.

Install An Existing Application

When joining a project, install the versions recorded in its lock file:

composer install

Composer reads composer.lock, downloads the selected packages into vendor/, and generates autoload files. In an application repository, this is normally the command used by CI and deployment tooling too.

Add A Dependency Deliberately

Add a package with Composer rather than editing the manifest by hand:

composer require monolog/monolog
composer require --dev phpunit/phpunit

The first package is needed by the running application. PHPUnit is a development dependency used for tests.

Review the resulting composer.json and composer.lock diff. A targeted change can still update transitive dependencies, plugin permissions, or autoload metadata.

Know The Main Commands

composer install              install versions from composer.lock
composer require package      add a dependency and update the lock file
composer update package       resolve a deliberate dependency update
composer remove package       remove a dependency cleanly
composer validate             check manifest and lock-file consistency
composer audit                report known dependency advisories

In Application Work

A junior developer should be comfortable reading the dependency files, installing from a lock file, adding one package deliberately, and explaining the resulting diff.

Do not edit files under vendor/. Those changes disappear on the next install and cannot be reviewed as application source.

What To Check

Before moving on, make sure you can explain the difference between install and update, classify runtime and development dependencies, and review both Composer files after a package change.

Practice

Practice: Create A Composer Application

Create an empty practice directory and initialize a small Composer application. Add one runtime package and one development package, then inspect the generated files.

Requirements

  • Run composer init or write the smallest valid composer.json.
  • Add monolog/monolog as a runtime dependency.
  • Add phpunit/phpunit as a development dependency.
  • Run composer validate.
  • Locate composer.json, composer.lock, vendor/, and vendor/autoload.php.
  • Explain which generated directory should not be edited or committed.
Show solution
composer init --name=acme/catalog --no-interaction
composer require monolog/monolog
composer require --dev phpunit/phpunit
composer validate

composer.json records declared requirements. composer.lock records the exact resolved graph for repeatable application installs. vendor/ contains generated dependencies and vendor/autoload.php; do not edit or commit that directory.

Remove vendor/, then run composer install. The same locked dependencies should be restored.