to navigate

to select

to close

On this page

Composer Package Management

What is Composer?

Composer is PHP’s standard dependency manager. It installs libraries, manages versions, and autoloads your code via PSR-4.

Installation

  # macOS / Linux
curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer

composer --version

Starting a Project

  mkdir my-app && cd my-app
composer init

This creates composer.json:

  {
    "name": "vendor/my-app",
    "require": {
        "php": "^8.2",
        "monolog/monolog": "^3.0"
    },
    "autoload": {
        "psr-4": {
            "App\\": "src/"
        }
    }
}

Install dependencies:

  composer install

Adding Packages

  composer require guzzlehttp/guzzle
composer require --dev phpunit/phpunit

require — production dependencies
require-dev — development-only (testing, linters)

Autoloading

After defining PSR-4 rules, regenerate the autoloader:

  composer dump-autoload

Entry point in your app:

  <?php
require __DIR__ . '/vendor/autoload.php';

use App\Services\Mailer;
$mailer = new Mailer();

Scripts

Define custom commands in composer.json:

  {
    "scripts": {
        "test": "phpunit",
        "lint": "php -l src/"
    }
}

Run with composer test or composer lint.

Lock File

composer.lock pins exact versions for reproducible installs. Commit it to version control for applications; libraries may omit it.

Publishing Packages

To share a library on Packagist:

Push code to GitHub with a valid composer.json
Register the repository on Packagist
Others install via composer require your-vendor/your-package

Composer is essential for modern PHP — every professional project uses it.

Semantic Versioning Constraints

Constraint	Meaning
`^8.2`	`>=8.2.0 <9.0.0`
`~1.2`	`>=1.2.0 <1.3.0`
`1.2.*`	Any patch in 1.2.x

Use ^ for most dependencies — it allows safe minor and patch updates.

Platform Requirements

Lock PHP version in composer.json:

  {
    "require": {
        "php": "^8.2"
    },
    "config": {
        "platform": {
            "php": "8.2.0"
        }
    }
}

Autoload Dev vs Production

  {
    "autoload": {
        "psr-4": { "App\\": "src/" }
    },
    "autoload-dev": {
        "psr-4": { "Tests\\": "tests/" }
    }
}

Dev autoloading is excluded when you run composer install --no-dev.

Composer Plugins and Hooks

  {
    "scripts": {
        "post-install-cmd": ["@php artisan migrate --force"],
        "post-autoload-dump": ["@php artisan package:discover"]
    }
}

Troubleshooting

  composer diagnose          # check for common issues
composer why package/name  # find what requires a dependency
composer update --dry-run  # preview upgrades

Common Pitfalls

Not committing composer.lock for applications — production builds become non-reproducible.
Running composer update in production instead of composer install.
Using "minimum-stability": "dev" without "prefer-stable": true.

Namespaces and Autoloading

Laravel Framework

Composer Package Management

What is Composer? link

Installation link

Starting a Project link

Adding Packages link

Autoloading link

Scripts link

Lock File link

Publishing Packages link

Semantic Versioning Constraints link

Platform Requirements link

Autoload Dev vs Production link

Composer Plugins and Hooks link

Troubleshooting link

Common Pitfalls link

Related Topics link