Eight Composer commands every PHP developer should know

As a follow-up to the article on how to start using Composer, I will discuss some of the most common commands every PHP developer should know. Most of these commands are needed for everyday work. Those of you having previously used any package manager, e.g. npm or yarn, will be happy to recognise some of them and find a lot of similarities here.

Install – downloading and configuring dependencies.

The composer install command is executed to install the exact dependency versions specified in the composer.lock file. This is the first command to be used after downloading a new code from the version management when the vendor directory (the location used for storing packages) is empty. If the composer.lock file does not exist, this command will install as new versions as possible, similarly to the update command.

Update – updating the dependencies.

The composer update command will check the content of the composer.json file used to specify the desired dependencies and install the latest packages accordingly. All packages are checked during this process to ensure the versions to be installed are compatible. This command will also update the composer.lock file by writing the installation state in this file so that the next install command uses the matching versions.

Require – installing a new dependency

The composer require vendor/package name command is used to install a new dependency. If the matching package is found, its dependencies on other installed packages will be checked and the latest version will be downloaded. This will also be recorded in the composer.json file and the composer.lock file will be updated with the exact installed version.

Remove – removing a dependency.

The composer remove vendor/package name will remove the dependency files and its information from both the composer.json and composer.lock files to ensure that this dependency is not installed when executing the next composer install command.

Outdated – checking for updates

The composer outdated command will provide information on packages having a newer version released. The compatibility of these newer versions will be checked against the dependencies specified in the composer.json file. All direct dependencies specified in the composer.json file will be shown separately as well as the dependencies resulting from other packages.

Audit – security vulnerability checking

The composer audit command will check the security vulnerabilities of packages via the Packagist.org API. If particular CVE codes are not actually expressed as vulnerabilities in the application context, these can be set to be ignored in the composer.json file. The audit will also report any abandoned packages no longer being developed, meaning the corresponding dependency should be replaced with a new one.

The depends command will show the reason for installing the respective package.

Executing the composer depends vendor/package name command will show you why one or another dependency has been installed. This is useful if one package happens to have a dependency conflict with another that you want to install or the audit reports a security vulnerability. This is especially important when the corresponding dependency has not been specified in the composer.json file but is included in a third-party package. This will help you decide how to proceed. Updating the third-party package can help when its newer version does not have this dependency; replacing a direct dependency with another package might also help.

Show displays dependency information.

The composer show vendor/package name command will display more detailed information about the installed dependency, including the exact installed version and its dependencies.

Conclusion

To sum up, we can say that Composer is a powerful tool allowing you to easily manage and install dependencies, keep your projects up to date and ensure that all your necessary packages work seamlessly together. The commands described above, such as install, update, require and remove, are essential for everyday work. Commands such as outdated, audit, depends and show, on the other hand, help developers monitor and manage project dependencies on another level.

In this article, I tried to rank the commands by their frequency of use, which, of course, is very subjective and depends on the project and developer.