Composer Best Practices — Jordi Boggiano — php[tek] 2015



so hi I'm Jody I'm not from the US as you may hear I'll do my best to not sound too French although I'm not French i'm from belgium I do speak French which gives me the accent but just please don't call me French oh I'm so I'm sorry I didn't see you over there no it's fine it's just we have the minority complex of being like a small country so just just a quick quick like well if you have any questions just feel free to interrupt because we have more than enough time for questions I think so like any time just raise your hand and I'll try to to get it as soon as possible now your band just um alright so let's let's get started um also I have this remote that has been kindly left here I'll try and use it but I never used one so it's probably gonna go on so yeah it's dead upon D okay that went well so composer first of all I don't want to talk about composer I want to talk about semantic versioning quickly if you were in the talk this morning I don't remember the name of the person who did it I'm sorry but he mentioned this already a little bit I'll repeat it so it's clearly ingrained and photos who one who weren't there so semantic versioning it's like a little page on somewhere that org it's you know a screen worth of text it's not that long and it's quite important read so like deeply encourage you to go and read it if you haven't I'll quickly highlight where it is but I think it's really I it's a must for everyone to go and read that I think because it's its defining Conte a contract between between maintains and users of open source packages so it's it's quite quite crucial that we all on the same page with as we get to that so what it defines essentially is you have the three major minor patch versions I guess anyone knows that sort of like it's the common thing most projects do but then it gets a bit tricky when we when we see what they mean they are defined as the major being for backward compatibility breaks the the mine o is for features like new features and the patch is for just bug fixes so how does this look well first of all when we're at zero point while you might know that you know the zero versions are kind of weird because it's usually like priests table and we kind of lose one you know we have this like major is always going to be zero so it's it's all kind of offset where we have the the major being the one and then the bug fixes and features are kind of cobbled together in the in the third digit so if you do bug fixes you would just bump that if you do any breaking changes you should really bummed the second I did them the mine are technically and then ideally you should really go as soon as possible to the one point because actually sanville doesn't really define this like the 0 version they are defined as do or whatever you want like there's no clear definition of you know that's the common assumption that people follow but it's not actually specified so ideally you should just started version 1 and just ignore the zeros anyway from there on it's kind of by the specs and well ideally and you just bump when he fixes the third one the patch version if you do any new features you burnt the second one and if you break anything and that's the most important you really should bump the major version and again like this and I'd give this all an idea that when we look at version number and like i know i'm using the 1.5 right now i see a new release fits 16 I know I can probably use that it's going to be new stuff but it's fairly safe for me to use it because it shouldn't break anything if I see a 22 point 0 coming up it's like okay I need to watch out it's probably breaking changes i need to go look a bit deeper in the changelog maybe there's some upgrade file so it's it's a way of communicating in like you know it's very concise way like high bandwidth communication with all your users holy there is just wow all right I have never seen that screen I think cool let's hope the boots first yet um I was either sir yeah composer that's the funny thing is like I give a keynote last week I had the browser cache which was already fairly uncommon there's my first not whole machine crashes it's like whoa yeah that's new and I have to restart my computer all right let's hope this goes quickly yeah oh internet yes so those lucky oh god see that's what you should never restart your computer no yeah just just turn off the camera it's fine you don't need to take this all right let's hope this goes better yeah alright so that's why was that someone in the the node community had this this slide I think it's quite amazing it's the German world for the field of increasing the major version it's helped versions normal Hong Kong's whatever I did my best and it's it's like it's just kind of it was just making fun of the feel that people have of you know going to version two or three or four and it's like people afraid of running out of numbers but there is really no no fear to be had because you know even be online you can have 10 it's just fine and like this these skills to fairly large numbers so yeah I really like there's no no reason to be afraid there and just when you need to break something do it but please bump devotion all right so now let's sort of it more about maintaining like maintaining packages if you do really anything like if you have an open source package does anyone here maintain anything like open source stuff you have released just a few hands really okay well I think like the few few things that need to be taken care of the readme file is like most important because it's kind of the doorway to to your project and when people come and the reading is empty Oh like it just says yeah this does kind of things but yeah you look at that in which you don't want to use that library like you don't even know what it does you skip and you just move on to the next one so having a story and I insist on the world story and not you know I'm not just like a technical know the explanation of what it is it does but more like a story of which which problems it's solving and so on that's it's a good way to get people to care i think because they might see what it's good for directly having some basic infos about yeah how you how to use the library how to contribute to it the license is fairly critical that's this all important stuff human mode is this this blog post it's quite comprehensive about widnes and so on and the PHP package checklist come which lists a bunch of things you want to check before releasing another point is to tag releases because like a lot of people still rely on this death master for everything and that means you know everyone uses the master branch that's fine but not really because eventually you're going to want to break something and then if there is no tag everyone is stuck so if you do break something at least the very least tag before doing that um yeah just get tagged it's not so much to ask I think then finally the changelog is also something that's quite critical to me it's like it's one of the things which I I really insist on when I realize anything is to look at all the commits not doing it in a automated manner of like dumping the whole the whole commit log into a file because usually that's very noisy the merge commits and so on oh maybe the commit messages are not not quite up to speed with the changes that were done so actually going through them like as a human and translating that to you know sentences that make sense and not like filtering out the useless stuff and so you end up with something like this where we have fairly clear to understand yeah like I think that's this is kind of the least you can do for your users if you you know should release a new version they should be able to know quickly okay what's up here especially with backward compatibility breaks you really want to highlight those all right now let's go into composer specific things so there are few a few constraints you can use like when you require packages that's the basic like us for specific version you get it no problem then you have like wild cards it's also very simple I think anyone sees that they know it means it's just any version in that range like one point zero point anything some new ones that came up like late last year I guess it's not so new anymore we have support for like kind of the whole semantic versioning constraint stuff that npm has so if you use node you might be familiar with those and now I most like the goal is to have interoperability with with node because I think like if you do something else in PHP it's most likely going to be JavaScript so we have a few new operators well like the range with just a dash you can define ranges between two versions so if you only define two numbers like this it's it basically adds a wild card at the end of the two point oh so it's 2 point 0 point anything but if you define a specific version then it's including that one and that's it then we have unbounded languages which are pretty bad idea I'm not saying you should use them but I just want to insist on the fact that if you do that if we follow semper again it's essentially saying I want all the backward compatibility breaks and it's fine so that's a yeah just fairly terrible idea i think the only point why would concede using it is for the PHP version because Leah if you require PHP like technically seven will break some minor things but then again it's it's a pain if we have to go and update all the packages out there to like to change the pitch field requirement to be able to use the new PHP version right so now that's one way we can argue but for anything else really trying about this then we have new operators the end is a space so it's kind of not there and they're always double pipe this one is pretty alright i guess most people know it like the tilled and it just means like it it's kind of useful it means that the last the last digit you define can go up so it's like in this case the two can become three in four and five and that's just fine but the one like anything before the last digit cannot change so it has to remain at one point something so that again it works well with semantic versioning because it will prevent any backwards compatibility break from from being added to a project the problem was yeah if you do something like this where you need at least a bug fix that was in that version 1.2 point 3 then suddenly it blocks you to the one point to arrange so there is now the the correct operator which kind of follows sander more closely and even with the if you define one point two point three it still lets you go all the way up to two point O which is not including two point O so yeah it's it's also like following the sort of semi implicit thing of of the zero-point versions where it assumes that are from from 0.3 to 0.4 you're going to have backward compatibility breaks so it just also blocks you there so I think for for libraries it's absolutely essential to use that because it you have to allow fairly bored like version range and like as bold as possible because you all you need is you know you need some features you want to require at least that but upwards you shouldn't really limit it and at least until that as like until the BC black version appears so yeah for libraries essential for projects you can argue like it depends a bit I mean by projects i mean like internal applications you develop or something like that you know maybe you want to be more specific just to be on the safe side but i think by default it's probably good idea so I just we use it everywhere still no questions so far okay so the question is the the wild card operator is it going to grab the highest version yes and like all operators basically those are just constraints all right they define which versions are okay to look at and then there's a second step which is like from those versions pick one and that's by default it's going to take the highest there are two things that can that can affect that one is just a command-line flag that's available that's prefer lowest i think so dash dash prefer Louis when you install this is not so useful for like that's why it's only a command-line flag there's no option or anything it's only useful for testing you think because it allows you to like it will take the lowest possible version of everything so it cannot let you test against your minimum requirements just to make sure that like in your like CI you can just ensure that those requirements are actually collect because sometimes so it yet it could be that you know you have an old requirement and you're using the latest version and use new features without realizing it so that's one thing the other is in the config you can have prefers table I believe and that it will still go to the highest but also the most stable so it's like it we'll go as high as possible while keeping the the most stable version so if you have a better it's going to skip that if there is a stable but otherwise if the better is higher would take that by default that's the behavior is like highest always yes the advantage of the carrot over the tilde it's really just this minor use case here I think it's saying in this case you see you're restricted to 213 because it's only allows like this is the only one that can change so it blocks the 1.2 and that's it's not really what you want in this case so I with the with the cards you kind of go all the way up to two point O step clear all right other questions on that okay if you install new packages one thing is to use composer require I don't know how many of you still die go and edit the Jason I mean I still do sometimes just out of habit but it's fairly poor experience compared to just typing like composer require because first of all you don't have to deal with Jason but also it will just look at the current version and add that is the constraint so I will automatically add a like had the best constraint sort of Toria if you need try and use that then to like I was mentioning stability is just a minute ago and those are the stabilities we have right so it goes from dev which is the most unstable to alpha beta I'll see and unstable those are all in order so I you know our C is more stable than better and so on that's quite important to to grasp and then the way they are defined like the stability is taken from the tag names basically so it's fairly simple if you tag something with better it becomes better if there's no there is no stability indicator is true stable now the other thing is for branches they're always there because branches being like unstable things you know they are not point in time they're just like a branch where you can always commit something new so in that case which we force it to be deaf no matter what the branch is called so even if you call a blind something better it's just still going to make it Dev so the few things that let you sort of like play with those stabilities because by default so by default we have the minimum stability set to stable so anything that is not stable it's just not visible to composer I won't install it and then a few the few ways you can you can change that so in the football package there we use this at dev which so the at part is not really part of the constraint is just saying this package can be dev and above doesn't have to be stable anymore but this applies only to this one so you can use at alpha as well and you'll get like so that means in the first example the fubar there that means if there is a dev version is going to install it but if there isn't it's fine it will just go back to a stable or anything on the other hand with the last example this food cooks cooks I don't know why about this because I don't know how to pronounce it the you asked specifically for the one works dev which would be like one point to a branch or something like that so in this case you asked for that explicitly so it sees that you ask for diversion so it it also puts the implicit at dev behind but if this version doesn't exist it doesn't work anymore right so like it's not the same behavior exactly because sometimes people ask like how do I require that devotion if you really need it you have to do it like that then the the minimum stability as i said is like just a global filter for everything else that doesn't have a flag so in this case we're all like better our sea and stable versions another point that came up a few days ago is people on Twitter who are really confused how to accuse the the create project come on if you don't have a tag because by default it will take the last the latest version and then it's fine but if you have only the death master branch like version then you need to actually tell it to to go down the like to bring down the stability to devil in any of these ways so it's it's all kind of the same deal of like white listing the that package to be to be deaf all right let's go over some conflict examples so in this case we have we have like that's all require our package on top the other requires two is the coolest package and a lazy Bob and those are defined down there so both of these require monologue but as we see like the coolest one requires it in at least one point six but that can go up to excluding two point oh and the other one just requires monologue in version 1.3 point anything so if you try and install that you get a wall of error and most people kind of displeased when they see this I get it it's not the nicest but if you look at it like in this case kind of sequentially it makes sense right like you have the installation requests here for lazy Bob that's like installation requests means all composer Jason is requesting this package and it says this one is satisfiable all good the same for cool air is satisfiable all good then we have the lazy bug requiring monologue and we see which versions of monologue here are satisfying it today we have a set of oceans and you have the same again for the four cool alleys and you see another set of version the problem is these two sets have no intersection so there is no way to install that as PHP doesn't let us install two versions like to two separate versions of one same class it's just not possible so that's why you get deal and it tells you I can only install monologue either 1613 or like either of these but not everything so the conclusion is just not installing anything is that clear like you see it this way so i think it's it's actually worth reading this output like when if if it so happen to have a conflict it it's not the prettiest thing but it actually contains the information in most cases to to figure out what what's going on in this case that you can do much except send the pull request 2 to the lazy bug package and you know change the requirement because most likely if it works with the devotion 13 it's also fine with the 16 okay another example if we so here we require this so we require monologue ourselves in version one point anything and we have been the the this bad package that requires monologue in the death master so as I mentioned earlier the death master isn't the smartest idea it's convenient when you're first like trying things out and all but in this case we get a problem it says like we were installing bad package and that's fine then bad package requires monologue death master and there is no matching package from now if you go look on packages you're going to see that monologue has a death master version so this is kind of confusing and that's what i meant before by saying that when you have the minimum stability said to stable it just does not see these versions at all like they are completely filled about it can't even tell you there is one but i can't install it which is probably something we should fix but hmmm priorities so for now it just tells you this and yeah as you see here we have minimum stability better so dev isn't allowed so it just doesn't exist so what can we do we can require monologue in dev as well so we can add this app dev flag and then it's all good it will install and yeah did like this one will thing though is if you look at it you require here death master and here one point something and death master isn't one point anything I it is just a name so what makes this walk is this branch our last feature where we can say like monologue and defined that the master branch is an equivalent of one point 12 so that's the kind of wheel hack but it lets us bring like reconsider those two requirements sort of in a way that it's like you require death master you require one point something and yeah they match for now because you know master is one point something so all is well and i just installed it but then what happens when we changed the ban chelius like if if monologue the master branch becomes two point oh then you're back to a problem because suddenly you require death master and this one like this time we see that yeah that it's it is visible all right because we allowed we are loud monologue to be deaf so it doesn't say that the bad package dependency is like no it doesn't say no package found it says it is satisfiable but the master isn't a one point something anymore so you have a conflict again now at this point there's just not much you can do like you can you can go with requiring the version too but most likely this breaks like both your application and and the bad package dependency so pretty bad idea to require death master like at least in the long term like you should really avoid it questions nope alright let's go on to the log file does anyone add it to the getting now the log file yeah we were you not depends okay we can discuss that after maybe so I would say like don't don't ignore it there are few reasons the first one is that it's it's used like it gives you this reproducible install its you in like the first time you install you have no log file it will figure out which package is need to be installed and then it dump that into the composer the lock and now you have like the current state of your dependencies now what happens if like if you add it to getting no then you have let's say a build server or something you do an install there there is no log file so we'll start from scratch and maybe there is a new version in the meantime so you'll get that new version on the build server or in production maybe and if there is a regression you get suddenly like you deploy something that has a regression in it and you never tested it locally or you know it was maybe not tested between the building the production or whatever like just bad things happen you know it might be a co-worker installing and like they have somewhere or you don't see and it's like you waste time with like trying to understand what's wrong and it's just a you know different dependency version so this reproducible installs is quite critical already but the other thing is it gives you like way way way faster installations with essentially no memory usage because it only like if you do composer install and you have the log file present it just looks at that it completely ignores packages and all that so it loads like you know the whatever few packages you have in there and it resolved the dependencies from that which is like it's really fast because the just a few packages so that's that comes in handy I mean for performance sure but the main reason i think is if you deploy to to like virtual machines or you know VPS and stuff like that that don't have a whole lot of memory or like low cpu as well it's quite convenient because there you can just install and takes like five megs of ram or something so while if you want an update maybe you're gonna spike to a few hundred eggs and that will like just break on the vm so yeah again like please do commit it and then you should run composer install and not update because if you wanna update it ignores the log file and just regenerate one so you should run composer install and less like you're trying to really update dependencies the latest latest state so I hope that's clear for everyone that nodded before not again so I'm gonna go with yes so you just committed again but there's a big bird here just don't deploy it because again it's like the contents of the file is everything you're using in your application with the exact version information you don't want this stuff to end up on Google because you're using some old version of something with a vulnerability it's just fairly easy to find so I don't care how you do it but it shouldn't end up like publicly visible so either delete it after deploy or move it out of the directory of the project like the many ways to handle this and this is a pro deployment thing but it really shouldn't be there another interesting fact is Google thinks that this is domain because it starts with www so it gives us this ad for nothing to do is composer but I thought I was interesting okay another thing that's been out for quite a while now is the ability to define custom commands so in this case we have this this test that's not like the script in case you don't know it they let you they let you handle like events so you can define a script is going to be executed after after package installer or after the update command has been executed so and so on now this like test is not one of these scripts that composer defines but what happens is when you run composer test it sees okay I don't have a command to handle this two looks in the script and if there is one just execute that as a like shell command sort of how it can also be a PHP call back so I think like this may or may not be very useful but one thing that would like to see is that everyone at least defines a test command because these days like you have you know it used to be that phpunit was the the end-all of testing but these days you have B hat and PHP spec and like maybe other stuff and so it like it kind of becomes harder and harder to on the test street is you have like a few commands you're supposed to run and so if you come in a new project it's nice if you can just say like composer test and I don't care what you do in the back it's just you know test this thing so as a sort of like standard way of testing a project of like bootstrapping the test read that would be kind of cool if everyone adds it finally if you if you try and use a fork of something like typically this would happen if I mean if you walk with you know some some libraries or framework or something and you find the bug if you fix it yourself and you really need this fix you cannot want to use that like this dispatch version you have like until it's been merged and tagged in a release and so on so the easy way to do this is to define this new repository here well you just have like the URL of your folks in this case I have this dis symphony for and I can like I just require that that death master instead of the two point whatever I'm using so this by default it will walk because like this this repository is defined above the the implicit packages repository that we just insert at the end so the package is defined in there we'll just like win over the above the package this one but then yeah this is a bit of an issue is usually you do a you do a patch in a future branch and so if you require here they've my patch that that is fine the problem is most likely if it's something as like kind of entangled as a framework we have like symphony you also require some bundles which are like plugins and these recoil symphony as well so you start having healing conflicts there because suddenly like the bundles don't find the version 2.6 that they require and then you because they've my patch isn't 2.6 so we could use the branch I last thing I explained about before to define like the dev my patch is 2.6 problem is you can't really do that in your branch because when it gets merged you don't want to have this like this composer Jason change notes back into into symphony so there's a way like that's kind of a hack is to use an alias so you say are equal then I patch as 2.5 or 2.6 or whatever you need and this will do much like the branch Elias it will just like give this this package kind of two versions so it satisfies both the the to point something requirements and there's my patch which is what what you require but it will install the first just like masqueraded as the second as well is that clear all right a few a few community resources i want to highlight pack analyst is i think the worst name ever but it's it's a pretty cool thing it's essentially scanning scanning all of the source code of all the packages on packages the talk and it puts all that in a search engine like in the search index and then it lets you quit by bike last name or interface name or stuff like that so you can actually see that if you have a you know if you have an open source package you can see let's say if you have an interface who is using or who is implementing that interface in the order like in the rest of the open-source ecosystem so it obviously doesn't tell you exactly you know who is using what and how in their private code but still it's a fairly good indicator to guide decisions if you if you wanna change an interface or like add new stuff you can can have a local just to figure out who is using your stuff in which ways it's it's pretty interesting and it's a fairly cool idea somewhere that MLM the B is also an unfortunate name i think this whatever it's it's just a tool to you can put a package name and i require like a version constraint and it will show you all the versions i think and like highlight those that would match that that requirement so that's a good way if you're a bit confused with the devotion constraints and want to check like so it's a good tool to kind of visually learn this melody is that's an amazing name now it's it's a cool name but it's difficult to explain anything in the sentence is it lets you run scripts that have like so if you want to do like old-school PHP scripts so you have you know just one file everything cobbled up together it lets you define the adjacent like kind of the composer Jason on top with the requirements so you have like some weird block on top of the file that is in line Jason sort of and and then it runs the script so when you use it then you can run it like on the command line you say melody run blah blah dot PHP it will look at which packages are required install them in the back in the temp directory include the autoloader and then run your file so you have your file that can depend on other stuff but still be like a very simple contained like all in one script which is kinda cool idea also lets you run I think from a github gist so you can just say like melody run and then the gist ID so you can store their all your scripts and stuff like that version I lets you and it'sit's it does many things but I think the interesting thing for me because it's still missing like still a missing feature in packages is to see what uses a package so if you put your package name there then / references you see the full list of open source packages requiring news then we have this that came up today from Ed Finkler I don't know if he's here but it's still kind of off but he showed it to me this morning and it's it's like they put all the other packages stuff into narrow neo4j and so they let you like visualize these things as a graph and you know like expand like see the relationships between say to maintain Azure like how many hops do you need between two people or two packages to kind of see the relationships it's it's still like it's early but I think it's very promising and I'm sure if they keep digging they'll they'll find cool use cases and finally a list of Awesome PHP packages so if like if you find that unpackage East it's a bit too messy and as too much to make a decision you can check that it's the opinionated list of someone so it's it's worth while it's worth but it's it's a very long list and there is like a few few good like a few sort of like toasted libraries in any category so it's pretty pretty valuable I think then I just wanna talk real quick about to unboxing so what it is is just a proxy thing that you can install on your servers and it gives you like fast installations because everything is close to you like it's you know it will catch the like what casual meal the git repositories and the zip files and so on so you have like everything ready therefore when you install you install from your servers you have like hopefully higher bandwidth than from github also if github is down I would hope that your server is not down so you can still install from that so those are like that's the kind of key key feature and then on the other hand it also lets you host private packages so not like private hippos but just sort of hang at your own little private packages while you can like add internal packages you have and start depending on them and so on and that way you just have to add like one repository and hauling and yeah the only catch is it's for sale it's not free it's the one thing i do that i'm trying to sell and the reason is just like trying to feed back money into the open source time because yeah this this thing cannot doesn't scale at some point where you spend so much time on it you have to you know still pay the bills so yeah I don't want system is too much but I just would like you to go and check it out if you think this might be something for you yeah that's all right thank you we still have 10 minutes for questions so in case you have anything else like Jeremy if nobody else has a question you may be allowed to ask a question yeah can you explain the death required deaf and stuff like that might is now people did so explaining the dev required of you mean so you have the two blocks like the require and recoil dev okay yes it did like in the beginning we installed only the requirements by default when you install and when you're an updated install both and that was kind of confusing people so now we switched it to be always like always install everything by default and I think it makes more sense because like so now whatever you you run like when you typically if you and composer install it's going to be like if you type it yourself let's say it's going to be on a death machine or something what you actually want the dev stuff two common ways right and there is this no dev flag that you can add but that you would add it like on your deployment script or something like that where you will hopefully type it once so that was the rationale for the change but I'm not sure if I'm answering your question Yeah right yes ok what are using for the using packages huh okay I'm not sure well maybe we can check afterwards because it's any other questions before I allow Jeremy what is the bus factor yeah yes the question is both facto and everything yeah it's it's I guess it's not so good looking like yeah no I don't have a great answer to that like I agree there's a problem poorly yeah yeah I don't know what to say that like it's I see what you mean and yes I'm doing poorly too much like that you know I mean he has access to you know like the server and all of that so it's not you know if i vanish it's it will carry on somehow i guess but my mostly i think the the problem would be the maintenance of the project well I'm like yeah I'm kind of the more the main person and it's difficult to like bring more people in so I don't know I'm still young I think any other question right well thank you uh

Leave a Reply

Your email address will not be published. Required fields are marked *