Jordi Boggiano – In Depth Composer

so is this up in here i guess i can hit enter um so high um ok now this already tripped up is the first time i had kicker so it's amazing because it has a laser on it lays all the cool but i'm going to click it by accident so i'll try not to do that anyway um I'm from Belgium which is pretty near to here as you may know I now live in Zurich Switzerland and doing mostly PHP javascript stuff I contributed Quattro to Symphony a few years back and since then composer has been taking a lot of time so yeah not so much thing funny anymore but that's it so first of all I was wondering because I usually read tweets and usually about like fun lauraville users that are like they seem very confused about what composer is and like not worried is really but whether it's part of la la ville or not and like how many of you think that you know this composer is only used by la la ville no okay maybe you're shy after what I said but now I mean it's it's fine I get it because it really is just a tool and it you know it's introduced by a framework that you use and you don't really realize why it came from necessarily but yeah it actually is used by many other frameworks by now so like yeah usually the comment i see is like oh I didn't know you could use this like this library outside of Louisville for example and yeah like if they're not lovable plugins oh I'm not sure you call them you know it's just a library you can use it anywhere but obviously you should use Louisville for all your projects now I actually don't know anything about the levels so this is pretty cool for me like I was pretty curious to come here and learn some stuff because yeah I have no idea really so now let's dive into the topic first of all I would like to just go into a few typical use cases that may be like missing those to do just that people don't realize they can actually do the first thing and that's where I usually shoot myself ready and is trying to distinguish install and update because yeah it's it's a sort of simple thing once you know it but it's extremely hard to explain in a way that you just don't end up mumbling and like confusing yourself more than you should so I'm gonna try um so I mean is everyone clear on install and update you clearly understand the difference no yeah like who doesn't who thinks they do but they really don't okay yeah we'll see maybe at the end you'll realize that you actually didn't put palsy so really that I think the main issue is that people think about packages and they won't like to update this package or install this package but the way composer walks is not like per package it just manages the entire dependencies of your project so when your uninstaller update you tell it now install my project or update everything in my project but it it works at the project level and then composer itself will decide to do an install and update on or removal of anything that doesn't match the state of the project as it should be so I think that's that's the main thing to kind of understand and I'll leave it at that before i go and confuse you more so recently I think couple of weeks ago we introduced this global command so this was a long time pain somehow I mean it wasn't so hard to do yourself but just wasn't supported natively it's like the use case of having you know global command line utilities it like phpunit let's say if you don't want to insulate in every project we just want to have it once in your machine this wasn't very easy to do so now it got a lot easier I'm gonna use the laser so you can you can just use this like global command and it's it works as a prefix to anything else so I guess some commands don't make sense when globally but it just like it's a proxy sort of that that will just execute stuff in a global directory instead of your local project directory so if you do a composer global require and then some package name and version you will install that globally so I think this speech pc is fixer if you don't know it I think it's a better use gazing phpunit because HP units sometimes you know you need this particular version for this particular project because traditionally they were like backwards compatibility in every release and always gotten better but well but this speech pcs fixer is just a utility right it's if you don't know it it just like formats your code in some ways it fixes some like code formatting stuff so it matches two-piece a one-piece or two and like you have a few more config options but it's a really cool tool to have at hand and it doesn't really matter like doesn't depend on your project at all so it cannot belongs in this global directory and then all you have to do is just once add this this vendor bin directory to your path so on Linux in OS X you can add that to your dot profile or two batches here whatever file you use and on Windows you have to add this turmoil in the settings it's just I like I mean it's it's not hard that I can't really explain it in more line and that's that then you can run like as I said any command so doing doing a global update will just update all your global packages all right now sometimes it happens that you use something and it just has bugs in it yeah it so happens so like what you should do is obviously report an issue that's already a good start but if you also can fix it yourself it's even better but then once you fixed it you you end up having the problem that you want to use your fix before it's merged and sometimes you know someone is on holidays or just doesn't care whatever and doesn't get merged it takes a while and so knowing so composer allows you to just use a fourth package fairly easily and just define it define it like that so for example in this case Phi if I focusing funny because I found a bug I would just use my fork as the URL there and this type VCS defines that composer should load that as a git repo has been repo and then you see that here it actually like it didn't change right still the symphony Symphony package like you don't need to rename it at all just by declaring it it will take priority of a package East stuff which is like it's declared implicitly under it so it will just override it but usually you do patches in in a branch and nothing master so most likely will want to use this dev my patch which would be the devotion created for the my patch blanche and yeah that's that's cool and all but then let's say you're using lauraville and you know louisville probably requires symphony in version 2 points um thing I 2.3 point anything I don't know what so this dev night patch doesn't match the requirement 2.3 so there what you can do is ok it's due to point one you you just alias it so you say ok require dev my patch but I require it as if it was actually two point one point oh and this way composedly just create a like a fake version of it that's a kind of mutant and it will match the requirements of louisville and it will actually install till your branch so everyone's happy and it installs and I will drink because I feel sick and I don't have a video in my slides but I don't want to pass out in the middle so i'll have my voice cut out on me ok so now you have all your private packages with all your Forks and patches and stuff awesome but it's getting painful if you have too many of them so Sally's allows you to like concentrate all the things in one place you don't have this situation where every project would have liked some some private stuff you need for this project and then you need to really clear it everywhere and maybe you will rename this dickhead bundle thing to like just change the name of it of the report need to update the twists and files everywhere it's a bit of a pain so or you can do if you status you just move this stuff into a SATA stress on you install install status it's very easy and then by running the build command it will just take all this stuff and build like a composite repository so that will be like something like packages you have your own mini packages and yeah so now in your project file all you are left with is just this like one repository that contains all your private packages you just like you can require them and they're all there so this saves you a bit of time and then you can also define this in the in the global config so if you do that like this the way this works is like implicitly there is always in the girl in the global config you have package East is defined there as a like as a repository so you can add some more there that are like available in every project because like composer always loads this file first and then your your local project one so if you if you define it there it's it's available everywhere and in the end you're just left with this and it's completely transplant now yeah the other ups and downs to doing this last step and I think it depends a bit on on the exact use case but it's an option yeah you can consider it a quick word on deployment and like project build first of all who of you do not commit the composer that log file because they think is garbage give a couple back there they are honest oh no not so many on this side yeah it's very shy hands I'll take it yeah so you really should commit it I'll get back to that in more detail later but just take my word for it and she's Kelly t it's not gonna hurt you and yeah it will it will help and and then you have this like just composer install with dash dash no dev which also changed like few months back before it used to be no death by default and now it's not anymore it's not just to annoy people but yeah so this disables the required F block so if you have like dead requirements usually you don't want them deployed to the server so you don't really need that ok now I'm going to go to an entire like installer up this one and kind of see what happens and and uh yeah just like random things and tips and tricks so first of all it loads the it's going to load your composure Jason and run those like pre-installed PFD a tour p whatever command so those are the escapes you can use to I don't know if Louisville uses them or not for things maybe yes the bus is yes so I'll take his word for it so yeah and then out of this like the root package is basically you compose Oh Jason like it is always a package even if you don't put a name don't have a version it is considered as a package and it has dependencies etcetera rockets it's just like any other package so here we already have some sort of distinguished distinction with like those that don't commit the log file so on the first install or when you even an update it it's like there is no log file so if you want an update even if there is a log fire it just ignores it but on the first install you don't have one either so so yeah that's that so in that case it will just like Hunter all the requirements plus the require dev I've needed and just create like requests all this stuff then we have this sort of optional step here which is like an update it's kind of a back because when when like a death master version it's just you know the master branch when you make an you committed to the master branch it's still called death master so it's the same version ready so by default the solar which is like the dependency solver it sees ok we have death master we need death master all good don't update anything so there we do an additional check and see if there is a like actually new commit available then we just force an update to that and then if you do have a log file whether it's from a previous one or whether it came from someone else's commit in this case it just completely ignores the requires in you in your compressor Jason and only look like loads the entire composited lock and requires everything that's in it so in this case you you get like the benefits i was talking about is that you get this like the certainty that what you get is actually the same thing that the last person installed or like updated or whatever like it it gives you consistent state so if you run like install five times against the same log file it's always going to do the same thing if you wait two days and you install again it should be the same thing so that means if you run an update and you get new dependencies and you check your project still runs once you committed your log file and then deploy you know that on the server it will have exactly the same dependencies as you had so nothing will blow up by like magic because someone released a new version and you actually never tested against this and there is a regression so yeah this really should commit it in addition what you get is performance because in it doesn't like scan every package and packages to see if there is new stuff or whatever it just wants to this list installs that it's like it takes five megs of ram and two seconds versus an update which with large projects can take Lydia a lot of time so especially if you have like Amazon micro instances or too small VPS is with his low memory you can have Hollins running updates there because it's just like blows out the memory completely and so if you if you deploy correctly using the log file under the install no problem then it creates a package pool which is like yea big bag full of packages we put in whoa oh okay my not technical issue so first of all the the platform repository you can you can see the packages with the composer show command you have like a few few modifiers to show you this or that package so the platform liberal prisons like your PHP version the PHP extensions you have some PHP libraries like well not peaceful a voice but libraries are bundled in PHP like pcre for Pegasus some leave xml stuff etc so you can actually require those those packages are those extensions as if they were packages sorry then the the local stuff is installed so the i also have a bit fever i think i think some more maybe it helps the local hippos are loaded in the pool as well and so the local repo is what was previously installed on you in your vendor directory then you have this is locked repo as i said uninstall it just loads that it's actually huge Jason file I mean boy saw it it's not pretty and there's a bit ugly diff sometimes but it does contain all the information then we have the custom repositories of your project then the custom a positive is in the global config and finally package East unless you disable it okay so this is like a whole lot of packages and one thing I forgot to mention like when it looks for four packages it kind of goes top down to this list so I can soon as it finds one it will kind of win if you have the same version presenting in multiple ipoh okay so then we have the stability filters which are also another source of mine o.o massive confusion depending so there are really two things that apply there there is a minimum stability which is just the minimum default level that applies to everything and so if you set it to alpha for example by default it stable if you lower it to alpha it means that whenever it adds a package to the pool it checks okay is this package with like more or less stable than the minimum stability if it's less stable I just throws it away it doesn't look at it so if you require stuff that is in like I'm stable versions you should probably low this otherwise it just won't find it and you get these videos and it tells you go look at this URL and then most people don't in report errors and with high it's not easy to to report this kind of problems because at this point we kind of forgot completely about the packages so then there is like the package stability flags which allows you to like it's really the same concept but only applies to this one package so you say acne foo can be like in-depth version in this case with the ad therefore at alpha whatever yeah so the second valiant the rest can still only be stabled because we don't specify a minimum stability okay then we have the solver we had the request which was created in the beginning with like requesting all the packages we need we have the pool that contains everything I just shake the whole thing until hopefully some stuff comes out and it's not an error then there is some sorting that happens as well which is like generally we take the latest available version by default it will really take the delayed taste like the highest version which if you allow deaf dependencies it's always going to be death master because that one resolved to like 99 999 nice to ultimately this version always but there's a switch for that so we can like it if you'd rather have everything there like a low stuff to be there but you don't want everything to be installed in death master because that's kind of yeah I mean it just it's dangerous because you always get the latest of everything is good to be bleeding edge but it's called bleeding for a reason so by using this P first able to you actually tell it okay like you can use stuff that isn't stable if needed but if you have a more stable version than just use that a lot of this at the end we have a list of operations which which can be again like install update or remove then for the operations we have a few switches that can be interesting so this preferred source which does a like generates going to get kono svn hg i don't know what and so that that just falls is it like by default it will it will use the source stuff for dev versions and this stuff for the tags like but you can force it either way with professors of preferred list so this notion of sauce tasting and composer is really like source means a sort of the VCS repository in the distiller is a zip archive or some something like that obviously both are just each piece walls button and then you can use dry run so drivin on an update for example if you just want to know if everything is going to blow up not like this shows you okay is going to exist then maybe you think okay we're gonna release in two hours let's just not do this right now but that said with dry run you can always like if everything is blown out again with committing the log file you can just get check out composer lock that erases all the changes you do composer install and you should be back to where you were before so it's not a good point and finally this is verbose oh like can I have one video 2 years or 3 v's that shows you like from a lot like a bit more information to a lot more to debug garbage that you don't want to see it yeah so for example like if you use sauce releases and you do an update with minus V you will see the exact commits that have been pulled in a bit like from the previous version you are to the current version that can I cool way when you go forbidding edge to to keep up to date with the changes and stuff okay then finally if like once everything is done if nothing ever doubt we we just write a new log file so on update then you can commit it we insist on this I know but just such a shame if you don't then there's a little detail there that if you change something in the composite Jason that is not directly relevant to the to the requirements you can have this problem where it tells you you know I compose all the clock is out of date because it just sees that it changed since then but doesn't know exactly what changed so it will tell you this is a sort of family warning you can either ignore it or you can do composer deadlock and that just doesn't update without updating anything it just like updates the the hash of the composite Jason into the composer lock then this the due to low degeneration which does a lot of like yeah insane things then if you use the dash off like you get more insane things and it's hopefully faster that like to be honest it depends really on the on the cases like it right now it just does it converts all the pieces euro-style autoloading to class map so it will just scan your entire project everything everything everything just find all the classes and like dump a massive array in some file that contains a class name to find them not so that's cool because look the look up for class name is super fast you don't need to do two directories anymore and check if the file exists on the other hand loading this file which can have like two or three thousand classes in it can can take some time so it's really a balance and it's it's very hard to save it will always be faster or not like I'll see probably but it's hard and hopefully at some point we'll have no strategies to optimize so that you can kind of pick the one that's more relevant to you but that's more long-term goal yeah then finally you have those post posting store post updates crepes if if you need you can disable them with no escapes so because I think I don't know how it's done in Louisville but i know in symfony we have some scripts that one in the dev environment and this tends to freak people out because they are deploying in production environment and they don't want to run the stuff so an easy way to get around that is to just disable all the script and then around the commands you actually need to build your project for production like obviously you wouldn't want to do that in development because it's a lot of typing but for production hopefully have a like a deploy script or build script so you type it out once it's not such a big deal and if you need you can also just run a script by hand so finally some words about troubleshooting um just yeah because there are problems sometimes so when github is acting up which lately has been too often i guess you can usually use this like referred to us all prefer this depending on which part of github is down hopefully it's not everything but sometimes yeah i mean right now it's the best way I'm working on something to to kind of yeah protect people from this github being down problem it still gotta be a few weeks I guess before i can announce it then for just random problems that occur first of all running self update is a good idea because it gives you the latest version sometimes the latest version has a regression so that was causing your problem in the first place that's tough luck it happens like we try not to but then there is this diagnose command since a few months which will run to a set of like common problems and give you solutions if it can find anything so that's mostly like Network checks boxes and stuff like that which will really a pain to debug like when someone comes and says hey nothing walks and then it takes you half an hour to figure it out and after a few times of doing this I thought like writing a script for it is actually a good idea then you can update your dependencies because also sometimes people come and report stuff which are like not really composer problems but like the dependencies have bugs and somehow it happened nearly like close enough to a composer update so they come and blame us yeah so it's always a good idea then if still nothing is running you can try to wipe the entire window directory sometimes these halves like it's not hopefully not needed anymore so much but once upon a time it was a frequent problem and then finally if really you can figure it out then feel free to report a bug but pleased and do a full run with this dash vvv and then you get poly like a thousand lines of output but at least it enables us to see what went on and and just like it saves a lot of time of back and forth on github issues yeah that's that so few links if you don't know about these but I guess you probably do I'm just an IOC a few helpful people as well that are usually around the other mailing list but it's very low traffic and otherwise if you need to report issues on either composable packages you can find everything on github com composer so that's it thank you so just to repeat act hold your hand up for a while if he doesn't see you hi I'm vegan even during package just as well yes yeah so it's not under pendant at all okay just wondering if you have any strategies sort of in mind for cleaning out things on packages that sort of dead and now dated and because there's a lot out there that's gone right yeah I yeah I agree okay it is slowly becoming a problem I mean we try to sort things in search results according to like some popularity metric which right now is kind of the amount of downloads in the last month or something so that hopefully like the stuff that is really not used anymore with kind of top off but it slightly hard problem so yeah I mean people just produce produce produce and yeah nobody's interesting coming back to clean up their mess so yeah if you have ideas I wanna help true but I don't have a clear plan for that alright so I got two questions there really quick ones the first one is ok so in your route your route composer to JSON file you require two packages all right each of those packages has the same dependency with a different version okay so I say you require laravel framework and that user simply to dot 3 but another package that you use a symphony to dot for you know that both of them work with 2 dot 3 or 2 door for just so happens that nothing breaks can you override that and force it to use the one you declare is ok for your app nope not he like without without hacking things really badly no but like the thing is and the reason I don't really want to go there is that if really it works with both 2.3 and 2.4 in like in both dependencies then just send a product quest to fix it because you know otherwise if you force everyone to walk out on the problem so yeah yeah but one note maybe just regarding that I didn't mention it there is this like till the pareto for the photo requirements so it's like for example saying till 2.3 we do with it just means like minimum two point three point oh but up to like and non-inclusive three-point oh so it just just means like the last digit of the requirement can go up so with semantic versioning this is really the best way to go for libraries is to just require like a minimum version but allow a lot of stuff to go to go up because usually they shouldn't break things yep okay the second one we get a lot of like I cardless we get a lot of people saying you know when you're updating composer takes so long to the first time especially once it's reassuring all your repos and all that sort of stuff maybe you could just run give us a real quick run-through on the process that happens you know talking to package just downloading your packages to chase some and just a real quick rundown and why that takes a little bit longer than you you know then installing I guess yeah ah quick handle sorry I'm sorry yeah I don't know maybe we do this later in like not quick version now I think let's say just regarding the pain point of speed there are two factors one is CPU time which is just very hard to like improve on and the other one is github which is fairly easy to improve on and that's what I'm walking on because like they're at least I know what to do like giving you a faster cpu or in like you know performance wise there's not really much we can do I think maybe I'm wrong but the point is you just that it sometimes has like fifty thousand like cheese or whatever what just you know with all the versions it has to check like many many things against each other and it's it's just an extremely complex process all right I have a question over here it's about our pre-install commands scripts thinks it's possible to have like designated or pre-installed command scripts for development and for production and for every environment you want no not the first to ask that all right I think it steered the stage where I'm waiting for someone to actually come with a good excuse why they need it maybe deployment or whatever yeah but that's that's the problems usually like yeah maybe I need for something and I have if you don't have a good use case I'm not gonna do at the moment but I was just like thinking yeah no I mean I agree it might be nice but until now everyone managed without it seems so if I can avoid adding more code to maintain I tend to just say we'll wait into the good news case comes up ah sorry so but i'm working on a project i tend to make abstract components and almost every project that i work on on the existent separate directories and usually the process that i have to go through when i make a change in that component is you know update the confident on github and then do a composer update you know first wait for packages to actually read that yeah that pocket has been updated so what I would like really is a way to point a specific dependency to a directory in the file system so is there some way for that and composer there isn't I say no a lot but yeah I mean if there is there is a plan and I think there's even a half don't pull request for it having like some sort of link amount like you having NPM for example but i would say like just as a walk around what I usually do is because it's also easier to test things and not as in unit testing but just to see if it really works in your in your code is to just walk in the vendor directory so I just like go in the window directly open the files and just you know when i'm done i committed there like if you install with tools then it's a good people like it's as good as being anywhere else on your laptop actually cook yeah that's another another hack right I mean no no no no I mean it's just it's another way to walk around it oh yeah you mean like can you repeat what is it Adam here also he says if you add a notable in your annual like main composer of Jason you can add saying that this package is actually 0 to load it from this directory with an absolute directly to something not actually sure if it works but maybe okay what's for him it's he opposed yes whoever is yeah can you yeah what are you doing what do you think about you got things like bootstrap I think jquery's on packages what do you think about that being on Pam you guys will mean like it's just I will it to PHP all the bad question a library you know that's yeah yeah yeahs o re so what do you think no can you do know I I see what you mean you got bad for that sort of stuff exactly like usually what we do internally like in all project is we we have bar or MTN and like in one project I think we had a chain like on post update of composer I could just call em p.m. update and then that one would at the end call it bowel update and like if so you run one and just everything updates yeah I mean there is I know there is no good reason for stuff not being able to be installed via composer but the problem is like once like if we pick one like if we say bar is the winner and we use that then we'll stuck with this like you know I don't want to have to maintain stuff for the next 10 years because we thought it was a good idea and it turns out half a year later it's not so yeah that's why until now I've been just like delaying delaying delaying because this whole like Fontaine's package management stuff is you know I like a year ago you had five new ones and it was completely and clear what what was going to happen now it seems like bo is more or less winning but you also have like oh no there's something new that came up like couple weeks back you know like I a finally something good and you know what the just set it on something because it's a pain like the thing is yeah I would love to integrate something like you know so you could define a repository that instead of type composer would be a typo or whatever and it's a okay like go find both packages at this URL and and we build support for that and so you can like require like cause require stuff from from PHP packages to toojays ones that would be awesome but my point was like you end up with because typically you want the vendor directory outside the weber yeah yeah typically so then you've got people using composer to install seems like bootstrap and that ends up outside the public yeah yeah and then the sim linking stir yes I sorry like your view on people using composer for assets sort of stuff like right now I think it's crazy but I know people do it because they want to and lazy yeah maybe it's easier for them i don't know i don't agree because yet like I don't think having siblings or other places like fun but also I develop on windows which doesn't help with the seeming thing but I don't know like I don't have a good answer it's just I think right now it's not there yet we have plans for that as well like it's all you know can I ready it's just someone has to do it and also it has to be good timing somehow like so we don't end up in a mess but yeah I'm rambling so I'll just stop I'll just quickly going back to the you're talking about kind of the speed issues before with composure which was kind of notorious for in the kind of the beta days of laravel looking at the kind of speed improvements you can make and looking at other package manager such as NPM which uses node for asynchronous loading all that kind of stuff is there any I guess kind of move or sewing in that direction for PHP for example may be using threading or something to you know be able to do kind of trees of packages updating at once so we could do it actually I mean I'm not gonna go into threads with PHP or like clothes this is just like no just not in the background but yeah yes no but one thing we could do is with curl we could do a like a curl multi and like to atleast download multiple files at once that said yeah I don't know like the thing I'm working on right now hopefully helps with that as well because it should like allow you to have a sort of like proxy cache whatever you want to call it may be in your office or in your data center looks like close enough to you that you actually get decent download speeds it doesn't matter so much anymore was there some lives okay I guess he's gonna tell me up to anyway so well thank you

Leave a Reply

Your email address will not be published. Required fields are marked *